Details
-
Feature Request
-
Resolution: Unresolved
-
Major
-
None
-
20.0.1.Final
-
None
-
Low
Description
Hi,
We've been working with JWT using Elytron and we would like to know why there isn't a way to REVOKE tokens. Reading the documentation it seems elytron doesn't provide a way to double-check whether that valid JWT still has access to the application. If a class could be instantiate and a method called, the application could validate it, returning a boolean (indicating whether the user can proceed) or throwing an exception when permission is denied.
If such feature isn't present, even though we blacklist the token (logging him out), the user already logged in and that can be a security breach.
Something like this would be great:
/subsystem=elytron/token-realm=app-realm:add(jwt={issuer=["issuer"],audience=["app"],key-store=app.ks,certificate="alias", validator="com.validator.TokenValidator"},principal-claim="sub")