I am using this example https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world for creating spring boot rest api with json web token (JWT). but i am not found any api for forcefully logout using io.jsonwebtoken maven dependency.
i am using this dependency in pom:
groupId io.jsonwebtoken artifactId jjwt version 0.9.1
can any one tell me about this dependency, provide any logout or revoke token api or not. if not, provide any solution for forcefully logout using this process.
There can be done several things for logout:
window.sessionStorage.removeItem("token") // for session storage
or
window.localstorage.removeItem("token") // for local storage
Ref about them: https://developer.mozilla.org/ru/docs/Web/API/Window/sessionStorage https://developer.mozilla.org/ru/docs/Web/API/Window/localStorage
My example in angular: https://github.com/dmcheremisin/TodoApp/blob/master/frontend/src/app/service/jwt-authentication.service.ts
If you need to allow further usage of token - you refresh it, otherwise reject.
Example refresh method:
public String refreshToken(String token) {
final Date createdDate = new Date();
final Date expirationDate = calculateExpirationDate(createdDate);
final Claims claims = getAllClaimsFromToken(token);
claims.setIssuedAt(createdDate);
claims.setExpiration(expirationDate);
return Jwts.builder().setClaims(claims).signWith(SignatureAlgorithm.HS512, secret).compact();
}
This code snippet is from my repo that uses the same library jjwt: https://github.com/dmcheremisin/TodoApp/blob/master/backend/src/main/java/com/todo/app/util/JwtTokenUtil.java
Related article: https://medium.com/devgorilla/how-to-log-out-when-using-jwt-a8c7823e8a6
I believe tokens have expiration period. You can simply reduce the expiration period so that if the token get hacked, then it wont be useful after expiration
We can achieve this by changing the secret key. Normally we maintain one secret key for all the users, so if we change secret key it will revoke access for all the users. We can maintain unique secret key for each user and on request of logout we can delete/change the use associated secret key.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.