Is there any way to restrict the token if user logout?
I did followed this solution for Spring Boot 3 with Keycloak Use Keycloak Spring Adapter with Spring Boot 3.
Asked
Active
Viewed 260 times
1 Answers
0
afaik, you can't invalidate an issued token. This is one of the reason you should set the expiry time of the access token as short as possible and use the refresh token to get the access token.
To answer your question: If user logs out then make a call to server to cache/persist that token. If you are using a gateway server (or anything equivalent) then check against the list of token kept in the db/memory from the incoming requests. If a match found then return an access denied error.
If you are caching in redis then calculate the expiry time from token and set the same with the redis. This removes the additional responsibility from your side to remove the keys from redis.
The above suggestion is not an ideal solution especially you have high traffic websites. Also, you have to think about whether you really need to implement token invalidation (basically restriction) by calculating the trade offs.
Miko
- 2,615
- 9
- 33
- 58