Added jwt blacklist subapp which enables blacklisting tokens and includes a default implementation. #115
Conversation
…udes a default implementation.
|
@jpadilla cleaned commit history ready to go |
|
Based on original discussion at #89 |
|
@jpadilla Sorry to bother, but any ETA on when/if you're going to merge this? |
|
@jpadilla lmk if this needs anything else... |
|
@erichonkanen hey I still haven't had a chance to try this out completely. I'm having trouble of figuring out what would a real world scenario look like when building an app with this. Let's talk a bit more to figure out next steps. |
|
@jpadilla sounds good, you can ping me on aim or just continue this thread, @avimeir if you want to chime in feel free... One use case I can see is where you are using JWT for authentication but you also want to provide a way to forcefully disable/log out/unauthenticate a user. As you mentioned you could rely on short JWT expire times, but that might not be enough. I was particularly interested in building a client-side (ember) enhancement that allowed activity based logout where if a user was idle for X seconds, their jwt token was revoked (blacklisted) and they would have to get a new one to log in. That was my initial thought, not sure what/how others are using it... |
|
Also, this was largely influenced by https://auth0.com/blog/2015/03/10/blacklist-json-web-token-api-keys/ |
|
@erichonkanen yeah that'd be great, maybe we can come up with a useful demo. |
|
finally got a demo up... https://jwtdemo-frontend.herokuapp.com/login you can log in and click the blacklist button which should blacklist your token (logged in user). if you reload the page youll be logged out.. in real world the user may be force logged out etc... also in other app I tested it in when you try to hit any new resource endpoint it will also log you out ps refresher |
|
@jpadilla have you had chance to look at the demo? thoughts? |
|
closing this until it ever comes up again if ever... |
|
Hi guys @erichonkanen, @jpadilla, Was this feature ever implemented? I need it to implement logout on my app. Thanks in advance! |
|
hey, it's been awhile so I don't remember where this left off but feel free to take it on, the code should still be up in a branch |
|
I had a look through the pull request from @erichonkanen and think it should be a solid base for a separate app. I'm going to see what I can do with it. @dheavy - curious if you'd made progress? Looking at the detail changes made to existing drf-jwt classes to accommodate the blacklisting, there aren't exactly clean points from which to extend the new blacklist related logic. I'm pretty sure this can be worked around in the short-term by duplicating a few methods from the parent classes. A more elegant solution would be to add some more points of extensibility to this drf-jwt project. Given there are already quite a few PRs / Issues on this project, I expect that may take some time to incorporate. Still it would see to be a way forward. |
No description provided.