search

jazzband / djangorestframework-simplejwt

A JSON Web Token authentication plugin for the Django REST Framework.
https://django-rest-framework-simplejwt.readthedocs.io/
MIT License
4.01k stars 663 forks source link

Proper way to handle logout with Simple JWT in DRF #697

Open ghost opened 1 year ago

ghost commented 1 year ago

I implemented a logout functionality using Simple JWT in my application. I blacklisted the user's refresh token upon logout, and my JWT settings are as follows:

"ACCESS_TOKEN_LIFETIME": timedelta(minutes=1),
"REFRESH_TOKEN_LIFETIME": timedelta(days=1),
"ROTATE_REFRESH_TOKENS": True,
"BLACKLIST_AFTER_ROTATION": True,
"SLIDING_TOKEN_LIFETIME": timedelta(minutes=60),
"SLIDING_TOKEN_REFRESH_LIFETIME": timedelta(days=1),

However, when a user logs out and their refresh token is blacklisted, they are still authorized to access the system using their access token until it expires, which is set to 1 minute in my case. what can be done to make sure that the user is completely unauthorized upon logout.

What about revoking both the access key and the refresh key when a user logs out. In every subsequent request, I can check whether the access key is blacklisted in the database, and if it is, raise an exception. However, doing this would break the statelessness of JWTs, and I don't think a database would be a good choice for this. Instead, I might consider using something like Redis. Please let me know if I'm wrong.

Thank You 👍

Chhunneng commented 1 year ago

after you log out, request to refresh-token endpoint then the token will not be useable anymore. but it's just the temporary solution now

skdishansachin commented 1 year ago

I am facing the same issue that @ghost had. Is there any way to solve it?

thank you 😊

expzhizhuo commented 1 year ago

I have the same problem as you. Do you have a good solution

skdishansachin commented 1 year ago

Here is a clearer explanation of a possible solution to a problem: you can blacklist the access_token and refresh_token in Redis by using the token's unique identifier or JWT id as the key and setting an expiration time based on the token's lifetime. To ensure security, you can check if either the access_token or refresh_token is blacklisted in Redis before processing subsequent requests, and deny access if either is blacklisted.

Regarding the issue of statelessness of JWTs, I am not sure, but I don't think it is affected. If you need more information, you can check out https://stackoverflow.com/questions/52431850/logout-django-rest-framework-jwt.

expzhizhuo commented 1 year ago

@dishansa As I can see, his approach is to use a custom authentication class instead of using his own IsAuthenticated, which means I need to use a custom authentication class instead of my own authentication. But I don't want to rewrite the authentication. I want to use my own authentication

skdishansachin commented 1 year ago

@expzhizhuo I'm sorry, I'm having trouble understanding your message. Could you please provide some more information please?

Darkbeast-glitch commented 11 months ago

I have the same problem, now when the token is refreshed and added to blacklist , I am still able to access other endpoints that needs authorization with the same access token

nikhilrizal commented 11 months ago

as i guess we need to add custom decorator

BESoft33 commented 3 months ago

Has anybody found a better way to deal with it?