Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalidation / Blacklist a token #1137

Closed
cedriclombardot opened this issue May 3, 2023 · 3 comments
Closed

Invalidation / Blacklist a token #1137

cedriclombardot opened this issue May 3, 2023 · 3 comments

Comments

@cedriclombardot
Copy link
Contributor

Hi,

I've not found in documentation, how to invalidate a JWT token, what is the good process method ?

Found issues about token_blacklist.* but not found in code and not understand the good way

Thanks in advance
@cedriclombardot
Copy link
Contributor Author

Hi here ? Have u got an idea ? @chalasr is it a missing feature, if true perhaps can i propose an implementation !?

@chalasr
Copy link
Collaborator

chalasr commented Aug 2, 2023

Hi @cedriclombardot,
Thanks for this and apologies for the late reply, my OSS time is very limited lately.

I want this to happen 👍 So a pull request would be much appreciated.
Here are some insights about what such an implementation should look like from my POV:

  • This feature must be opt-in
  • Tokens should be given a jti claim whose value should be the only thing persisted: if the feature is enabled and a token's jti exists in the blocklist then that token must be rejected.
  • Feature detection should not be only based on the presence of the jti, as it mght break existing code that relies on this claim today.
  • The blacklist term should be avoided, alternative such as blocklist should be preferred :)
  • We will probably need a simple abstraction for the blocklist storage. A very limited set of built-in implementations should be provided, not necessarily as part of the first iteration (i.e. it can wait til another PR).

Please let me know if you're still wiling to work on this. Anyway, happy to know your thoughts on the above proposal

ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 9, 2023
@ldaspt
Fix lexik#1137 Invalidate token
1af0826 
Based on lexik#1005
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 9, 2023
@ldaspt
Fix lexik#1137 Invalidate token
984e5bb 
Based on lexik#1005
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 9, 2023
@ldaspt
Fix lexik#1137 Invalidate token
caf812b 
Based on lexik#1005
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 9, 2023
@ldaspt
Fix lexik#1137 Invalidate token
c05729b 
Based on lexik#1005
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 10, 2023
@ldaspt
Fix lexik#1137 Invalidate token
3196f27 
Based on lexik#1005
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 13, 2023
@ldaspt
Fix lexik#1137 Invalidate token
dd557a3 
Based on lexik#1005
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 13, 2023
@ldaspt
Fix lexik#1137 Invalidate token
c23fc86 
Based on lexik#1005
ldaspt pushed a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 23, 2023
fixup! Fix lexik#1137 Invalidate token
1c371a9
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 23, 2023
@ldaspt
Fix lexik#1137 Invalidate token
71ff07b 
Based on lexik#1005
@ldaspt ldaspt mentioned this issue Nov 23, 2023
Merged
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Nov 27, 2023
@ldaspt
Fix lexik#1137 Invalidate token
59a9c58 
Based on lexik#1005
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Dec 11, 2023
@ldaspt
Fix lexik#1137 Invalidate token
3e62c14 
Based on lexik#1005
ldaspt added a commit to ldaspt/LexikJWTAuthenticationBundle that referenced this issue Apr 15, 2024
@ldaspt
Fix lexik#1137 Invalidate token
fd5a7c5 
Based on lexik#1005
chalasr added a commit that referenced this issue Apr 15, 2024
@chalasr
feature #1170 feat: Invalidate a JWT token (ldaspt)
3785c0f 
This PR was squashed before being merged into the 2.x branch.

Discussion
----------

 feat: Invalidate a JWT token

This PR adds support for invalidating a JWT token #1137.

The code comes mainly from the discussion #1005 (reply in thread)  Thanks to `@mbabker`

I think that the PR meets the needs mentioned in #1137 (comment)

>
> * This feature must be opt-in
> * Tokens should be given a jti claim whose value should be the only thing persisted: if the feature is enabled and a token's jti exists in the blocklist then that token must be rejected.
> * Feature detection should not be only based on the presence of the jti, as it mght break existing code that relies on this claim today.
> * The blacklist term should be avoided, alternative such as blocklist should be preferred :)
> * We will probably need a simple abstraction for the blocklist storage. A very limited set of built-in implementations should be provided, not necessarily as part of the first iteration (i.e. it can wait til another PR).
>

Commits
-------

bb8aa6d  feat: Invalidate a JWT token
@chalasr
Copy link
Collaborator

chalasr commented Dec 14, 2024

Implemented in #1170. Thanks for rising the topic @cedriclombardot

@chalasr chalasr closed this as completed Dec 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cedriclombardot @chalasr