0

I am using express gateway as API Gateway middleware with the following setup.

  1. Express gateway serves as gateway only.
  2. My auth (user database) server is at a different location and I am routing all login request to the auth server to get jwt.
  3. Multiple resource server is behind express gateway. Which will not authorize or authenticate any request. All incoming request is treated as already authenticated

I have setup the EG config such a way that it verifies the JWT and only passes requests with correct JWT. Because the authorization checkCredentialExistence on the gateway itself.

Problem

When users sends logout request I revoke both access & refresh token from the auth server. BUT, the revoked JWT token still a valid token. And gateway keep passing the incoming requests with revoked jwt.

Is there a way to check with remote api if JWT is still valid in Express gateway?

Sisir
  • 2,668
  • 6
  • 47
  • 82

1 Answers1

0

jwt access token is kind of self signed token and there is no way to revoke it, you can use refrence token for this senario

Mehrdad
  • 1,523
  • 9
  • 23