How to invalidate token?

[hussaintamboli]

Hello,

After I have gotten the token using JWT_AUTH_URL_RULE, how do invalidate it?

I wanna create an action for /logout. On logout I want the token to expire/become invalid

How do I do this?

[sureshjoshi]

There is no vanilla way to invalidate tokens on the server side. On the client side, a /logout should simply delete the token (refer to Satellizer - https://github.com/sahat/satellizer).

To implement an invalidate on the server side, you'll need to use a short token expiration followed by a refresh token feature (https://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens and #29)

Also, please consider using StackOverflow for some of these issues - as they're more questions about functionality, than issues (might get faster responses - and it helps the community)

[hussaintamboli]

Thanks for the resources.

From what I have read in #29, there is no way to invalidate tokens. Also suppose I generate some tokens by calling /api/v1/auth again and again, all the tokens will stay active until the expiration time. And I guess user1 will be able to use the token generated by user2 :(

I'll definitely ask these kind of queries on Stackoverflow next time.

[sureshjoshi]

This is the purpose of a refresh timer and short expirations on JWTs.

[bangive]

This link describe a way to invalidate token black list json web token using aud and jti claim.

[hussaintamboli]

@bangive But how does it work with flask_jwt?

[bangive]

Sorry i don't know