Lexikjwtauthenticationbundle: Invalidate token

Created on 8 Dec 2014  路  4Comments  路  Source: lexik/LexikJWTAuthenticationBundle

Is there a way to invalidate the token from a controller ???

All 4 comments

Hi,

Token invalidation is not implemented as it is not part of the JWT specification. If you really need it, take a look at this thread.

@slashfan I got here while searching for the same thing. Thanks for the shared link - it was very useful.

As i implemented one of the suggestions there with Lexik id like to share it for others. Sure one could discuss now if this is still stateless now - anyway i think that the db query is fine as Symfony is doing so anyway and there are hardly no solutions without beeing kind of stateful.

Here is what i did:

  1. i added a property tokenValidAfter which is a date on the User entity
  2. i update this date to the current one whenever i want to invalidate previous issued tokens for the user (change password, reset password, logout from all devices action)
  3. i listen the JWTDecodedEvent to mark the token as invalid if the token is older than that date

I tried to ensure few things:

  • DONT store tokens themselves in any place on the server or database
  • DONT add additional data to the payload

Gist: https://gist.github.com/benjaminrau/865f94d142605eb72a23a34ccdd0617a

@benjaminrau with your solution if a sure is logged into two different computers, logging out on one logs out on all, right?

@waspinator Yes, if intended. A "logout from all" would change the tokenValidAfter date and thus logout from all computers / invalidate all tokens. Regular logout would not change tokenValidAfter and user can logout from just one place.

Was this page helpful?
0 / 5 - 0 ratings