1

I'm implementing the JWT in FastAPI, Which is proper way to revoke the access and refresh tokens for the Logout?

  1. Single Logout URL to revoke the access and refresh
  2. Individual revoke URL?

Thanks in advance

Max
  • 21
  • 3
  • what about jwt expiry? – itzMEonTV Aug 03 '22 at 06:43
  • Revoke tokens only for Logout – Max Aug 03 '22 at 06:46
  • If the session is maintaining in JWT, in logout interface (UI), just clear the token from the client side will be enough. No need of URL here. – itzMEonTV Aug 03 '22 at 06:50
  • Please have a look at [**this**](https://stackoverflow.com/questions/37959945/how-to-destroy-jwt-tokens-on-logout) and [**this**](https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens). – Chris Aug 03 '22 at 09:29

1 Answers1

1

JWT is designed to be stateless, which means when a JWT is created, you can not expire it on the server side. You'll just have to wait for it to expire, or you can tell client to delete it.

If you still insist on deleting a JWT on the server side, you'll need some kind of blacklist as described in this post

You can also take a look at blacklist functionality in Django rest_framework_simplejwt,

xiez
  • 299
  • 3
  • 5
  • I agree. My question is for blacklist(Revoke) should I use Single URL to blacklist the both token passing token in parms (or) Individual URL for access_token and refresh_roken – Max Aug 04 '22 at 11:44
  • 1
    A single URL to blacklist with refresh_token as parameter should be sufficient. This is how `rest_framework_simplejwt` implements. Of course, you need a short-lived access-token, for example, 5 mins. – xiez Aug 05 '22 at 06:31