This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to invalidate/revoke JWT token after user logout

Posted on 04-02-2019 05:36 AM
darpanjain420
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

In my application APIGEE is used as the authentication layer for users. We are using JWT token as means for authentication at service end. There is a requirement such that if the user logs out and the JWT token is not expired, then the application should call the APIGEE edge for the invalidation of the JWT issued earlier.

Is there any way to achieve this scenario?

Solved Solved
0 9 21.2K
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

JWT Cannot be invalidated. I have written about this elsewhere.

You can sort of simulate invalidation of a JWT, for a particular verifying party, by storing the JWT ID (jti claim) or equivalent, into a "revoked" list. For example, in a cache stored in Apigee Edge using the PopulateCache policy. Use a TTL that is longer than the JWT Expiry. (This will not work well if the JWT does not have an expiry!)

Then, to verify the JWT, you would need 2 steps in your API Proxy flow:

  • extract the JTI (or other unique identifier) from the JWT using the DecodeJWT policy, and check the Revoked list (via the LookupCache policy) to see if that key is present. If it is present, then the JWT has been marked "revoked", so the API proxy should respond accordingly.
  • otherwise use VerifyJWT as normal.

Any other party that verifies the JWT will not consider it to be revoked.

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sidd-harth
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Darpan, I have handled JWT in the past within a MEAN Stack App. It was a PoC and security was not a high priority so I have used cookies to handle JWT. When the user logs out, I used to simply clear the cookie.

Dino that is a good solution for indirectly revoking a JWT in some exceptional cases. I have built a sample proxy based on your steps. Can you please explain why the PopulateCache should have a longer TTL than the JWT Expiry?

jwt-rev4-2019-04-03.zip

View solution in original post

jwt-rev4-2019-04-03.zip
Jump to Solution
0 Likes
9 REPLIES 9
Top Solution Authors
View all