1

Let's consider a special scenario that an admin (Admin A) logs in and start doing some admin stuff on the system. Suddenly another admin (SuperAdmin) wants to downgrade Admin A to a normal user for some reason. However, even-though now Admin A is just a normal user, his token is still an Admin token. So, he can still do admin stuff until the token automatically expires in one hour.

So, in a scenario like this what's the way to expire that token manually ? Does the system should use a DB query to check user level for each admin route ? Or is there any other way to achieve this ?

Is there any way to config core gateway to check validation of token ?

I think if I check validation of token for each request in coregateway we have a lot of overhead and defeats the entire purpose of using JWTs in my opinion.

amir
  • 47
  • 1
  • 1
  • 8
  • As JWT are by definition stateless, you cannot manually expire them. The best way to use JWT's is to use a very less validation time like around 15 minutes, and refreshing the JWT when its expired using a refresh token. This leaves a small window of time, where the user still has a valid token, but if this is not acceptable, you may have to maintain a deny-list of this token's where the still active token is added to this deny list and the server will check this list on every request. In this case the flexibility of using JWT is gone. – Sai Upadhyayula Nov 22 '20 at 21:33

1 Answers1

0

I am going with JWTs are not designed for sessions or stateful representations of data.

Therefore either accept this or do some messy hack with an "allow/white list".

Option 2.

Use sessions.

Jcov
  • 2,122
  • 2
  • 21
  • 32
  • thank for helping . what about useing User Account and Authentication (UAA) Server? – amir Nov 20 '20 at 10:09