Hi guys
Does jwt support sign out ? Thanks !
Hi,
what do you mean exactly? If you want to sign out user, just make it forget the token (for example by removing the cookie that stores it if that's how you keep track of it).
I also want to know if you can revoke/expire a token server side? If for example you have a protected route accessed via the token in the URL as a parameter it will be stored in the browser history allowing logged in access to that view after a "log out" if it is not revoked server side right?
The only practical way I see to invalidate tokens server-side is to have a table with expired tokens where you would store tokens once users log out, and then purge the old expired tokens via cron job.
Another option would be to have a 'logged_in' flag on the user model which you would update upon login/logout and use only to check if token should be accepted or not, but that would logout your user globally from all devices at once.
One solution would be to use Redis (or something similar) as a blacklist for tokens that have not yet expired but need to be "invalidated".
.post('/blacklist', (req, res, next) =>
verify(req.body.token)
.then(decoded =>
decoded.exp - parseInt(new Date().getTime() / 1000))
.then(expiration => redis.set(req.body.token, true, 'EX', expiration)))
Then you'd just check if the there is an entry for the token in the blacklist when verifying them.
@tanelih sorry for opening this, but how do you keep track of the issued tokens, the point of using JWTs is to not use database for session management.
Imagine if I lost my phone and I login to the web app and I want to block the access to my phone, how do I get the token that is stored in my phone and revoke it ?!
@e-nouri that's quite an interesting question. I'm not really sure on the matter, but you could always have some sort of data in the token which could contain for example the device it was issued to, and then work from there...
However I suppose if you'd need per "session / token" tracking, you might need to have some sort of a "whitelist" approach, which in a sense goes against the point of JWTs. I'm sure someone else might have a better idea, I've not worked with JWTs for some time now... :-)
+1, I am actually working on the project and have similar situation... is there a auth0 recommended way to revoke/disable tokens?
@tanelih @ashishtilara this is the solution I built and it uses Redis to take advantages of the TTL http://e-nouri.com/blacklist-revocation-jwt-without-cron-job/.