joestubbs
commented
2 years ago Initial design document completed: https://confluence.tacc.utexas.edu/display/CIC/Token+Revocation
Closed joestubbs closed 1 year ago
joestubbs
commented
2 years ago Initial design document completed: https://confluence.tacc.utexas.edu/display/CIC/Token+Revocation
joestubbs
commented
1 year ago released with 1.2.4
In order to support long-lived tokens and for other reasons, we want to be able to revoke or invalidate individual JWTs. One approach to the implementation is to have a new endpoint, DELETE /v3/tokens/
which would add the token to a persistent data store of "revoked tokens". This in turn could be implemented with a fast in-memory system like Redis, and the row representing a revoked token could be set to expire whenever the token itself expired (because if the token is expired it won't pass validation anyway). This will prevent the table from becoming too big over time.
Since services are responsible for validating tokens directly, it might be ideal to put the check to see if a token has been revoked in the nginx layer. This would prevent every service from having to implement the check. There seems to be some support in nginx for validating JWT, see https://www.nginx.com/blog/validating-oauth-2-0-access-tokens-nginx/