Implementing a logout using JWT  

  RSS

DeddyH
Active Member
Joined: 3 months  ago
Posts: 6
21 August 2017 8:28  

Hi Daniele,

first of all: thank for your great work. I am currently playing around a little bit and got authentication working using an access-token. Now there are a few questions coming up:

- Does the framework have a possibility to generate a refresh token, or is the user meant to login again after the access-token has expired?

- How to implement a logout? AFAIK the token is held client-side, so the server cannot simply delete it or something like that. My idea is to blacklist the token on logout-request (in my authentication-database or maybe simply in a dictionary in memory), so on authorization I can check against this list and deny access even if the token is not expired yet. Is this good practice?

Greetings

Detlef 


ReplyQuoteLikeReport
Daniele Teti
Eminent Member
Joined: 8 months  ago
Posts: 46
4 September 2017 22:53  

The JWT has been extended to support automaticcally refresh. Check the new 3.x version.

Daniele Teti
CEO & CTO @ bit Time Professionals
Embarcadero MVP
Books Author


ReplyQuoteLikeReport
DeddyH
Active Member
Joined: 3 months  ago
Posts: 6
14 September 2017 15:26  

Thank you for your reply. I tried with a relogin on client side and it works really fast, so the user doesn' t notice it. But now I have different problems: my service works great as standalone-program, also as Apache-module. But as ISAPI-module on IIS 10 there is the issue that all POST-requests have an empty body though I send JSON-data (verified by sniffing with Wireshark). I tried enabling CORS by adding the middleware, but this did not help. Meanwhile ALL requests end up in HTTP-statuscode 500. I think I need to uninstall IIS completeley and try it again from the very start.


ReplyQuoteLikeReport
Mathias Pannier
Active Member
Joined: 7 months  ago
Posts: 17
19 October 2017 13:39  

Which Delphi Version You are using?

I also had some problems with different Delphi Versions and ISAPIs.

My last change was in MVCFramework.pas function TMVCWebRequest.Body: string; I have added the Line "FWebRequest.ReadTotalContent;" before the Line "FBody := Encoding.GetString(FWebRequest.RawContent);". You could also debug this methode to find out more.

I use Delphi 10.2 Berlin.


ReplyQuoteLikeReport
DeddyH
Active Member
Joined: 3 months  ago
Posts: 6
19 October 2017 13:55  

I am currently using 10.1 Berlin (10.2 is Tokyo AFAIR). Thanks for your suggestion, I will try it out.


ReplyQuoteLikeReport
Mathias Pannier
Active Member
Joined: 7 months  ago
Posts: 17
19 October 2017 14:00  

My mistake. I mean 10.2 Tokyo. 


ReplyQuoteLikeReport
DeddyH
Active Member
Joined: 3 months  ago
Posts: 6
24 October 2017 9:33  

Sorry for delay. I implemented your suggestion and it seems, this did the trick. Thank you very much.


ReplyQuoteLikeReport
Mathias Pannier
Active Member
Joined: 7 months  ago
Posts: 17
24 October 2017 9:52  

I'm glad I could help.


ReplyQuoteLikeReport
  
Working

Please Login or Register