Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Logout/invalidate a JWT

Tags:

security

jwt

azure-mobile-services

I'm using custom authentication in Azure Mobile Services by generating a JWT (JSON Web Token) in a custom login API. Once a user has a JWT, it's valid until its encoded expiry time is reached.

Beyond explicitly checking the JWT token against a sessions table on every authenticated request, is there a way to invalidate the JWT token before its expiry time (as would happen when a user logs out) such that any subsequent request made with that token as a value in the X-ZUMO-AUTH header would never reach any table API or custom API scripts?

like image 590
Steve Avatar asked Feb 19 '14 04:02

Steve

People also ask

Should JWT tokens be invalidated on the server after logout?

We'll also want to generate a refresh token to maintain the same user session (refreshing the expiration) as long as they're logged in. Once they're logged out, we can let the JWT token expire, and invalidate it. That being said, we'll need to map a device as well as the refresh token to a user's session.

How do you invalidate a JWT token?

New jwt tokens would set their version to this. When you validate the jwt, simply check that it has a version number equal to the users current jwt version. Any time you want to invalidate old jwts, just bump the users jwt version number.

How do you expire a single JWT token?

Store the revoked JWT tokens in Redis. Use the token as the key and the value is always a boolean true . The token will be stored only for a specific amount of time, which is the time in the exp claim, after the expiration time it will be deleted from Redis. This way only revokes just one token at a time, perfect!

1 Answers

Not really. When a user logs out in the client the JWT it uses isn't really invalidated - it's just removed from the client's memory (see the code on the managed SDK, for example). The JWT validation is done by checking the its signature against the mobile service's master key, and unless this key is changed (which would invalidate all of your service's JWT tokens, which I don't think is what you want), the token will be valid until it's expired.

Since you're generating the JWTs yourself you can consider using a smaller expiration time which may help in your case.

You can also suggest this feature in the mobile service's feedback forum. There's one related feature suggestion which I created, you can also consider adding a comment to that and voting it up.

like image 163
carlosfigueira Avatar answered Oct 17 '22 03:10

carlosfigueira
Sign in to Comment

Related questions

Rails plugin for API Key + Secret Key signing [closed]
How can I hide a password/username used in a bash script for accessing MySQL?
Changing bios code/flashing the bios
How to check the authenticity of a Chrome extension?
Can I put the npm node_modules directory outside of my 'webroot'
Android KeyStore - How to save an RSA PrivateKey
Vulnerability in closed plugin Yuzo Related Posts [closed]
Creating a secure login using sessions and cookies in PHP
How do tell a browser not to offer to save an incorrect password?
Java EE Security: JASPIC / JAAS or apply a Security Framework? (Glassfish 3)
Actively maintained PHP libraries for user authentication? [closed]
php storing user id in session?
How to safely write JSON data to file using PHP
How to implement 3d secure payment securely
Authorization method for REST API utilising Active Directory
What is the purpose behind the personalized security image often used on banking websites?
How to get public key from an OpenPGP smart card without using key servers?
How can I validate/secure/authenticate a JavaScript-based POST request?
Why does Magento use 2 cookies per session?
Bluetooth Low Energy encryption and data safety

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!