15

I'm using custom authentication in Azure Mobile Services by generating a JWT (JSON Web Token) in a custom login API. Once a user has a JWT, it's valid until its encoded expiry time is reached.

Beyond explicitly checking the JWT token against a sessions table on every authenticated request, is there a way to invalidate the JWT token before its expiry time (as would happen when a user logs out) such that any subsequent request made with that token as a value in the X-ZUMO-AUTH header would never reach any table API or custom API scripts?

Steve
  • 8,066
  • 11
  • 70
  • 112
  • 3
    There is a good discussion of alternatives in this related question: http://stackoverflow.com/questions/21978658/invalidating-json-web-tokens – Travis Terry Feb 06 '15 at 00:56

4 Answers4

13

Not really. When a user logs out in the client the JWT it uses isn't really invalidated - it's just removed from the client's memory (see the code on the managed SDK, for example). The JWT validation is done by checking the its signature against the mobile service's master key, and unless this key is changed (which would invalidate all of your service's JWT tokens, which I don't think is what you want), the token will be valid until it's expired.

Since you're generating the JWTs yourself you can consider using a smaller expiration time which may help in your case.

You can also suggest this feature in the mobile service's feedback forum. There's one related feature suggestion which I created, you can also consider adding a comment to that and voting it up.

carlosfigueira
  • 85,035
  • 14
  • 131
  • 171
  • 1
    Links to Azure feedback forum for Mobile Apps (formerly Mobile Services) are broken now. Besides that I can not find your suggestion anymore. – Sascha Gottfried Jun 24 '15 at 12:37
1

Store the token in a blacklist database table/collection, along with its expiry date.

Load unexpired blacklisted tokens into memory (indexed) and check every request's token against it.

Set an interval to reload the blacklist intermittently (to remove expired tokens from memory).

Tyson Fritz
  • 11
  • 2
0

To support JWT invalidation (there are always reasons):

I ended up storing a unique string per user which I hash with a global common string, so I can invalidate a single user's token, or all tokens as required.

Kerem Baydoğan
  • 10,475
  • 1
  • 43
  • 50
Mark Essel
  • 4,606
  • 2
  • 29
  • 47
0

No. The only way to logout a user and invalidate a JWT token is to remove/delete it out of the session table. This is the way you are already doing.

Lu Tran
  • 401
  • 4
  • 9