Implementing a logout using JWT
first of all: thank for your great work. I am currently playing around a little bit and got authentication working using an access-token. Now there are a few questions coming up:
- Does the framework have a possibility to generate a refresh token, or is the user meant to login again after the access-token has expired?
- How to implement a logout? AFAIK the token is held client-side, so the server cannot simply delete it or something like that. My idea is to blacklist the token on logout-request (in my authentication-database or maybe simply in a dictionary in memory), so on authorization I can check against this list and deny access even if the token is not expired yet. Is this good practice?
Thank you for your reply. I tried with a relogin on client side and it works really fast, so the user doesn' t notice it. But now I have different problems: my service works great as standalone-program, also as Apache-module. But as ISAPI-module on IIS 10 there is the issue that all POST-requests have an empty body though I send JSON-data (verified by sniffing with Wireshark). I tried enabling CORS by adding the middleware, but this did not help. Meanwhile ALL requests end up in HTTP-statuscode 500. I think I need to uninstall IIS completeley and try it again from the very start.