Open tanwirahmad opened 2 years ago
mooreds
commented
2 years ago We do not yet have an implementation of JWTManager for python, you are correct. You could translate the JWTManager javascript code into python, which would be on option. We welcome pull requests :) .
scott2b
commented
2 years ago The original question seems to be specifically how to revoke an access token (not a refresh token). Although the original question states that the desired behavior can apparently be achieved via the JWTManager, I am unable to find how the JWTManager exposes functionality for revoking or invalidating an access token.
How does one go about revoking an access token? Either with the JWTManager ... or regardless of the client, what would be the correct API call to do this?
mooreds
commented
2 years ago @scott2b
You can't explicitly revoke an access token in FusionAuth. We don't support RFC 7009: https://www.rfc-editor.org/rfc/rfc7009.html and based on the number of upvotes for this, I don't know if the community wants us to: https://github.com/FusionAuth/fusionauth-issues/issues/201
So, if you want to have an access token become invalid, you have to manage it yourself. That is what is outlined in the articles @tanwirahmad mentions. The process is basically:
If you want to handle the case where a user logs out, then logs back in quickly, then the time based logic in the Webhooks section here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts needs to be implemented.
Hope this helps.
scott2b
commented
2 years ago This is very helpful. Thank you for the quick response. While I was poking around at this, I also ran across this discussion which seems relevant and illuminating: https://github.com/FusionAuth/fusionauth-issues/issues/25
Particularly, the whole thing JWTs are meant to be portable and are not persisted server-side switched on a lightbulb for me. But it also raises the question of whether they should be used in a standard application session-oriented auth workflow, as seems to be implied, e.g. in the the example Flask client here. While the example does not explicitly keep track of user sessions, it would be the natural next step (and the one I am trying to solve now).
So I sort of think maybe using the JWT API for this is not the right approach? But then is there another mechanism provided by the FusionAuth API? As far as I can tell, this is just how FusionAuth works by virtue of the fact of using JWTs as oAuth tokens.
mooreds
commented
2 years ago @scott2b I suggest you take a look at these login flows. They walk through all kinds of options: https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows
You can also post in our community forum, slack or open a support ticket (if you have support). All of these will get you a better response than posting on a client library issue (your current experience notwithstanding :) ).
scott2b
commented
2 years ago Thank you for this link. I appreciate the detail spelled out here.
Hi, I am using the python client to logout a user using this function
logout(). After calling this function, theaccess_tokenremains invalid. I have tried thisanonymous_client.logout_with_request()function but the results were same.I have read these articles: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts https://fusionauth.io/learn/expert-advice/tokens/pros-and-cons-of-jwts If I understood correctly, this is the intended behaviour but I can still achieve the desired behaviour using
JWTManager. But I could not findJWTManagerfor the python client.So, in summary, is there any way to invalidate
access_tokenwhen a user logs out.Versions Fusionauth-client 1.31 FusionAuth 1.31