如何使从天蓝色广告收到的Jwt令牌无效 [英] How to invalidate Jwt token received from azure ad
问题描述
我有2个应用程序,一个是弹簧靴,另一个是角度靴.目前,我已经将我的应用程序与azure广告集成在一起,因此可以通过它进行身份验证.现在的问题是,当用户从前端应用程序注销时,如果令牌未过期,如何使Azure AD提供的JWT令牌无效.因为,即使用户注销了,如果有人仍然能够获得令牌,则他可以使用该令牌从后端检索数据.知道如何执行此操作吗?
I have 2 apps one spring boot and another in angular. Currently I have integrated my application with azure ad and hence authenticating through it. Now the question here is when the user logs out from the front end app, how to invalidate the JWT token provided by Azure AD, if the token is not expired. Because, if someone is able to get the token despite user gets logged out, he can use that token to retrieve data from the backend. Any idea how to do this ?
推荐答案
您的问题是有许多人在寻找明确答案的问题.简而言之:没有明确的答案.当然,有些选项可以起作用,但是都不是万无一失的.
Your question is one that has got many people looking for a definitive answer. In short: there is no clear-cut answer. Sure, there are some options that kinda work, but none of them are fool-proof.
我认为对SO问题 Invalidating JSON Web Tokens 的答案最能概括您的选择:
I think the answer to the SO question Invalidating JSON Web Tokens sums up your options best:
- 从客户端删除令牌
- 创建令牌黑名单
- 只需保持令牌到期时间短并经常轮换
我已经看到选项3是该领域中最成功的".
I've seen option 3 to be the most successful 'in the field'.
这篇关于如何使从天蓝色广告收到的Jwt令牌无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
