New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blacklisted tokens can still be refreshed #36
Comments
|
There's a more nuanced problem where invalidating a token doesn't do anything to any related tokens that could still be valid. For example, if you authenticate to create token A, then refresh it to get token B, but A is still valid, then blacklisting token B only prevents that exact token (reasonably enough). It might be worth adding a way to blacklist the whole family of refreshed tokens, by adding a common identifier for the initial authentication, but that's well beyond the scope of what I'm seeking to fix here. Alternatively, if we were to add something that prevented a token being refreshed more than once (which I would see as a reasonable restriction, although possibly annoying to enforce), then we could potentially use the same mechanism to prevent the 'antecedents' of refreshed tokens from being used, too. |
|
We did set out to implement JWT blacklisting as described by Auth0, including the refresh tokens upon usage, but we ran out of time and resources due to other issues. I've added the links above so anyone who reads this issue knows what was the original intention and based on you comment, figures out what's left to do. I agree with everything you've pointed out and would like to see this change land, either by reviewing it or doing it myself, but we are a bit short on time at the moment, hence the basic blacklist functionality. |
|
@fitodic: That's good to know. I can probably find some time soon to add support for token identifiers and/or improvements around refresh tokens. I'll hopefully let you know in the next few weeks. |
If you configure an app to allow blacklisting tokens and turn
JWT_ALLOW_REFRESHon, then you can still operate the refresh endpoint using a blacklisted token, which allows you to side-step the fact that the token is invalidated.The text was updated successfully, but these errors were encountered: