0

I have access token with short expiration (5 minutes) and refresh token.

How can I immediately revoke access token for specific user?

For example if I want to ban certain user? I clicked on ban button and now I want to revoke his access token immediately. I don't want to wait for token expiration.

I need to somehow create blacklist of tokens but if I don't know access token for specific user, how can I add it to blacklist?

Should I store all jwt tokens in database or redis? Code example would be very helpful.

Thank you

moaes01
  • 57
  • 1
  • 5
  • 1
    Possible duplicate of [How can I revoke a JWT token?](https://stackoverflow.com/questions/31919067/how-can-i-revoke-a-jwt-token) – Eyk Rehbein May 11 '19 at 12:15

1 Answers1

0

I do not think there is a library, that can help you invalidate immediately a signed token. But yes, you can whitelist them, in a DB, such as PostgreSQL or MongoDB. But it is preferred, due to performance issues, to store them in Redis. When a refresh_token is signed then set it to Redis. In the refresh_token endpoint, where you verify and use the refresh_token to issue a new access token, check if that refresh_token is present in the DB. If not then it is invalid.

But how do you revoke them, or delete them from the DB, so that they are invalid? You create a logout endpoint, where you delete that refresh_token from the database.

FYI: I found out that it is a good practise to hash the JWT before storing in the database, and then as you know comparing it, and all that stuff. It more secure this way, because anyone that has access to your DB, in that case Redis, can use an already valid refresh_token.

georgekrax
  • 1,065
  • 1
  • 11
  • 22