英文:
Logout in spring controller
问题
我想知道如何从服务器撤销我的JWT令牌。为什么我需要这样做呢?因为当客户端从应用程序注销时,它应该销毁客户端的现有令牌。但我想知道如何实现这一点。我从谷歌搜索中找到的只有关于如何进行身份验证的解释。
英文:
I was wondering how I could revoke my JWT token from server. Why I need it because when client will logout from application then. It should kill exsiting token for client. But I was wondering how I could implement it. I searched from google there only explanation of how to authenticated.
答案1
得分: 0
根据您的设置,我将不得不做出一些假设。在大多数情况下,访问令牌(不仅仅是JWT)都会有一个生存期,在此期间它们是有效的,并且在此期间服务提供商(您的服务)不会再次检查其有效性(出于性能原因)。令牌过期后,服务提供商通常会使用身份提供商(身份验证服务器)提供的刷新令牌,为该用户获取新的访问令牌 - 如果仍然登录。
因此,如果用户已注销(并且身份提供商知道此事),刷新访问令牌将失败,因此您将知道用户已注销。在那之前,服务提供商不会尝试刷新,也不会知道用户在其他地方已注销。
该怎么办?您可能希望在应用程序(服务提供商)中存储活动的访问令牌和刷新令牌,如果用户注销,您可以删除与该用户关联的令牌。然后,用户将被重定向到身份提供商。
如果用户在其他地方注销,身份提供商将需要通知所有服务提供商删除特定的访问令牌和刷新令牌。
英文:
Without knowing more about your setup I'll have to use a few assumptions. In most cases access tokens (not just JWT) will have a time to live, i.e. a period during which they are valid and during which the service provider (your service) doesn't check for their validity again (for performance reasons). After the token has expired the service provider would normally use the refresh token provided by the identity provider (auth server) to get a new access token for that user - if still logged in.
So if the user logged out (and the identity provider knows of this) refreshing the access token would fail and thus you'd know the user has been logged out. Until then the service provider wouldn't attempt a refresh and wouldn't know the user logged out (elsewhere).
What to do? You might want to store the active access tokens and refresh tokens in your application (service provider) and if the user logs out you delete those associated with that user. The user would then be redirected to the identity provider.
If the user logs out elsewhere the identity provider would need to inform all service providers to delete certain access and refresh tokens.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论