ldklenner
commented
4 years ago To invalidate tokens we have to set up a database either operating as a allow or deny list. When a user request a service its token has to be checked against the database. To prevent that the database is slowly filled with already expired tokens a periodically cleaning job has to be executed. Peridocal jobs can be realized with the Akka scheduler, for an Lagom example see this.
If a user gets deleted, their token is still valid and can be used for authentification.
Expected behaviour: Upon user deletion the token should get invalidated .