Implementing a logout using JWT  

  RSS

DeddyH
New Member
Joined: 1 month  ago
Posts: 2
21 August 2017 8:28  

Hi Daniele,

first of all: thank for your great work. I am currently playing around a little bit and got authentication working using an access-token. Now there are a few questions coming up:

- Does the framework have a possibility to generate a refresh token, or is the user meant to login again after the access-token has expired?

- How to implement a logout? AFAIK the token is held client-side, so the server cannot simply delete it or something like that. My idea is to blacklist the token on logout-request (in my authentication-database or maybe simply in a dictionary in memory), so on authorization I can check against this list and deny access even if the token is not expired yet. Is this good practice?

Greetings

Detlef 


ReplyQuoteLikeReport
Daniele Teti
Eminent Member
Joined: 6 months  ago
Posts: 42
4 September 2017 22:53  

The JWT has been extended to support automaticcally refresh. Check the new 3.x version.

Daniele Teti
CEO & CTO @ bit Time Professionals
Embarcadero MVP
Books Author


ReplyQuoteLikeReport
DeddyH
New Member
Joined: 1 month  ago
Posts: 2
14 September 2017 15:26  

Thank you for your reply. I tried with a relogin on client side and it works really fast, so the user doesn' t notice it. But now I have different problems: my service works great as standalone-program, also as Apache-module. But as ISAPI-module on IIS 10 there is the issue that all POST-requests have an empty body though I send JSON-data (verified by sniffing with Wireshark). I tried enabling CORS by adding the middleware, but this did not help. Meanwhile ALL requests end up in HTTP-statuscode 500. I think I need to uninstall IIS completeley and try it again from the very start.


ReplyQuoteLikeReport
  
Working

Please Login or Register