Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-13801

JWT Revoke Feature

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Unresolved
    • Major
    • None
    • 20.0.1.Final
    • Security
    • None
    • Low

    Description

      Hi,

       

      We've been working with JWT using Elytron and we would like to know why there isn't a way to REVOKE tokens. Reading the documentation it seems elytron doesn't provide a way to double-check whether that valid JWT still has access to the application. If a class could be instantiate and a method called, the application could validate it, returning a boolean (indicating whether the user can proceed) or throwing an exception when permission is denied.

      If such feature isn't present, even though we blacklist the token (logging him out), the user already logged in and that can be a security breach.

       

      Something like this would be great:

      /subsystem=elytron/token-realm=app-realm:add(jwt={issuer=["issuer"],audience=["app"],key-store=app.ks,certificate="alias", validator="com.validator.TokenValidator"},principal-claim="sub")

      Attachments

        Activity

          People

            Unassigned Unassigned
            casmeiron Paulo Cesar Silva Reis (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: