-
-
Notifications
You must be signed in to change notification settings - Fork 178
How to invalidate token? #45
Comments
There is no vanilla way to invalidate tokens on the server side. On the client side, a /logout should simply delete the token (refer to Satellizer - https://github.com/sahat/satellizer). To implement an invalidate on the server side, you'll need to use a short token expiration followed by a refresh token feature (https://stackoverflow.com/questions/3487991/why-does-oauth-v2-have-both-access-and-refresh-tokens and #29) Also, please consider using StackOverflow for some of these issues - as they're more questions about functionality, than issues (might get faster responses - and it helps the community) |
Thanks for the resources. From what I have read in #29, there is no way to invalidate tokens. Also suppose I generate some tokens by calling /api/v1/auth again and again, all the tokens will stay active until the expiration time. And I guess user1 will be able to use the token generated by user2 :( I'll definitely ask these kind of queries on Stackoverflow next time. |
This is the purpose of a refresh timer and short expirations on JWTs. |
This link describe a way to invalidate token black list json web token using aud and jti claim. |
@bangive But how does it work with flask_jwt? |
Sorry i don't know |
Hello,
After I have gotten the token using
JWT_AUTH_URL_RULE
, how do invalidate it?I wanna create an action for
/logout
. On logout I want the token to expire/become invalidHow do I do this?
The text was updated successfully, but these errors were encountered: