注销/使 JWT 无效 [英] Logout/invalidate a JWT

问题描述

我通过在自定义登录 API 中生成 JWT(JSON Web 令牌)在 Azure 移动服务中使用自定义身份验证.用户拥有 JWT 后，它一直有效，直到达到其编码的到期时间.

I'm using custom authentication in Azure Mobile Services by generating a JWT (JSON Web Token) in a custom login API. Once a user has a JWT, it's valid until its encoded expiry time is reached.

除了在每个经过身份验证的请求上根据会话表显式检查 JWT 令牌之外，还有一种方法可以在 JWT 令牌到期时间之前使其失效(就像用户注销时会发生的那样)，以便使用该令牌发出的任何后续请求作为 X-ZUMO-AUTH 标头中的值永远不会到达任何表 API 或自定义 API 脚本?

Beyond explicitly checking the JWT token against a sessions table on every authenticated request, is there a way to invalidate the JWT token before its expiry time (as would happen when a user logs out) such that any subsequent request made with that token as a value in the X-ZUMO-AUTH header would never reach any table API or custom API scripts?

推荐答案

不是.当用户在客户端注销时，它使用的 JWT 并没有真正失效 - 它只是从客户端的内存中删除(参见 托管 SDK).JWT 验证是通过根据移动服务的主密钥检查其签名来完成的，除非此密钥被更改(这将使您的服务的所有 JWT 令牌无效，我认为这不是您的想要)，令牌将一直有效，直到它过期.

Not really. When a user logs out in the client the JWT it uses isn't really invalidated - it's just removed from the client's memory (see the code on the managed SDK, for example). The JWT validation is done by checking the its signature against the mobile service's master key, and unless this key is changed (which would invalidate all of your service's JWT tokens, which I don't think is what you want), the token will be valid until it's expired.

由于您自己生成 JWT，您可以考虑使用更短的过期时间，这可能对您的情况有所帮助.

Since you're generating the JWTs yourself you can consider using a smaller expiration time which may help in your case.

您也可以在移动服务的反馈论坛中推荐此功能.有 我创建的一个相关功能建议，您也可以考虑添加评论并投票.

You can also suggest this feature in the mobile service's feedback forum. There's one related feature suggestion which I created, you can also consider adding a comment to that and voting it up.

这篇关于注销/使 JWT 无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！