How to invalidate JWTAuth generated token?
1,185 views
Skip to first unread message
Manjunath Reddy
Jul 2, 2015, 12:11:54 AM7/2/15
to ve...@googlegroups.com
Hello,
I have implemented a authorization based on JWT to generate the token after authenticated with DB. But I didn't understand how to invalidate the token (for example: when user clicks in logout)?
The basic code:
Router router = Router.router(vertx);
router.route().handler(CookieHandler.create());
router.route().handler(BodyHandler.create());
router.route().handler(SessionHandler.create(LocalSessionStore.create(vertx)));
// Create a JWT Auth Provider
JWTAuth jwt = JWTAuth.create(vertx, new JsonObject()
.put("keyStore", new JsonObject()
.put("type", "jceks")
.put("path", this.getClass().getResource("/secret/keystore.jceks").getPath())
.put("password", "secret")));
// protect the API
// Any requests to URI starting '/api/' require login
router.route("/api/*").handler(RedirectAuthHandler.create(jwt, "/auth.html"));
// Implement logout
router.route("/logout").handler(ctx -> {
//ctx.clearUser();
//How to invalidate the Token
// Redirect back to the index page
ctx.response().putHeader("location", "/").setStatusCode(302).end();
});
// this route is excluded from the auth handler
router.get("/auth/newToken").handler(ctx -> {
connection.execute(sql, execute -> {
if (execute.succeeded()) {
ctx.response().putHeader("Content-Type", "text/plain");
ctx.response().end(jwt.generateToken(new JsonObject().put('role', <<userId>>, new JWTOptions().setExpiresInSeconds(60 * 30)));
} else {
// Failed!
}
});Thanks,
Manjunath Reddy
Paulo Lopes
Jul 2, 2015, 4:04:50 AM7/2/15
to ve...@googlegroups.com
JWT and other token authentication mechanisms do not have the concept of logout.
However one can implement such a mechanism with the expense of having to keep track of revoked tokens.
To do this say for JWT or OAuth the minimum you need is a table either nosql, sql, redis with the following info:
{token, expiration_date}
Now every time there is a request you must first verify if the token is present on that table:
if yes then you refuse the request with 401 else continue with normal jwt validatio which may lead again to a 401/403
When a user does logout:
insert the token and its expiration date into the table.
System maintenance, you need a cron job to clean tokens that expiration date is in the past or use something like:
redis expireat: http://redis.io/commands/EXPIREAT
mongo ttl indexes: http://docs.mongodb.org/manual/tutorial/expire-data/
for SQL you might want some cron job with a trigger...
However one can implement such a mechanism with the expense of having to keep track of revoked tokens.
To do this say for JWT or OAuth the minimum you need is a table either nosql, sql, redis with the following info:
{token, expiration_date}
Now every time there is a request you must first verify if the token is present on that table:
if yes then you refuse the request with 401 else continue with normal jwt validatio which may lead again to a 401/403
When a user does logout:
insert the token and its expiration date into the table.
System maintenance, you need a cron job to clean tokens that expiration date is in the past or use something like:
redis expireat: http://redis.io/commands/EXPIREAT
mongo ttl indexes: http://docs.mongodb.org/manual/tutorial/expire-data/
for SQL you might want some cron job with a trigger...
Manjunath Reddy
Jul 2, 2015, 2:37:29 PM7/2/15
to ve...@googlegroups.com
Thanks Paulo, I would either implement my own security or I will adopt the Apache Shiro.
Reply all
Reply to author
Forward
0 new messages