How to revoke the access token and refresh token of the user as an admin user? while using JWT in Oauth2
Question
How to revoke the access token and refresh token of the user as an admin user? while using JWT in Oauth2. is it recommended to store token in Database ?
1 answers
solution1
0 2021-07-24 07:25:17
If you want to be able to revoke tokens, then there is no other way but to keep some data in the database. You can either keep the concrete tokens, and mark them as revoked until they're expired, or you can keep an entry with clientID/userID and a timestamp, and do not accept tokens issued to that client/user, before the given timestamp.
If you want to be able to revoke access tokens, then you have to remember that all APIs, which consume that token, will have to call that database to check if the token was revoked or not. It is usually easier to have short lived access tokens (15 or even 5 minutes), and only deal with revoking the refresh token, as the RT is only used in your Authorization Server.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.