weixin_39802814
weixin_39802814
2020-11-25 15:57

how to blacklist user generated refresh token

i want to blacklist user generated refresh token one way is to put it on blacklist but since the token is generated by user how would i know the particular user has which token.i don't want to store these token in db and query db each time for blacklist check.

Edit : Here user i am refereeing to is API user.

该提问来源于开源项目:vimalloc/flask-jwt-extended

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

5条回答

  • weixin_39685697 weixin_39685697 5月前

    When they create an access or refresh token using the username and password supplied, you can store the created token in a database with their username and a revoked status of unrevoked. Then, when you want to actually revoke the refresh tokens, you can go to the database, find tokens that have been created by the given username, and update the revoked status in the database. Basically you are storing the tokens at creation time, instead of at revocation time, and checking the database to see if they have been revoked or not whenever the token is used.

    Here is an example you could use to get started with this: https://github.com/vimalloc/flask-jwt-extended/tree/master/examples/database_blacklist

    点赞 评论 复制链接分享
  • weixin_39685697 weixin_39685697 5月前

    How is the token generated by the user? That sounds really bad tbh. Possible security concerns about users creating their own tokens aside, if they have the secret needed to generate tokens and one of their tokens get blacklisted, they could just create another and keep going on their way.

    All that said, if you do want to blacklist user created tokens, it wouldn’t really be any different then solution outlined in the documentation. You will need to create an endpoint, grab the token in that endpoint, and put it into your blacklist data store.

    点赞 评论 复制链接分享
  • weixin_39802814 weixin_39802814 5月前

    How can i grab that particular token that is created by some API user?

    点赞 评论 复制链接分享
  • weixin_39685697 weixin_39685697 5月前

    You need to have the token sent to your backend by the user. In this extension, you can setup your backend by using the ` decorator, and theget_raw_jwt()` function in your endpoint. See: http://flask-jwt-extended.readthedocs.io/en/latest/blacklist_and_token_revoking.html

    点赞 评论 复制链接分享
  • weixin_39802814 weixin_39802814 5月前

    i have read the docs but this approach is fine when you are integrating your flask API with front-end or mobile app and you yourself handling the front-end app or mobile app you can blacklist the tokens when ever you want because you are handling the tokens.

    But lets takes the use case where you want to give access to third party, In that case you have to give a user and password so that they can access my API's. Let's assume that they have started consuming our API's and after some time i want to revoke their access for that i can change the status in my db for that user and the third party user will not able to generate the tokens(access/refresh) again but they have already access token and refresh token. Access token might expire as they have short life but generally refresh token has long life. So in this case the third party user still able to use the refresh token to generate access and use my API's till the refresh token expires.

    So in this how can i revoke third party access token since i don't have the refresh token generated by the third party API user.

    点赞 评论 复制链接分享

相关推荐