authentication - How to invalidate JsonWebToken by demand in Quarkus?

Question

Suppose user has pressed logout and her token should be invalidated.

I read, that I can't expire token by demand and should implement some blacklisting or other custom check (which is separate absurd). Okay I put GUID inside token and also have GUID in user record. When user logs out, I am deleting her GUID and then can distinguish that token is invalidated.

But unfortunately, the token is still passing Quarkus annotations. For example,

@GET
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@RolesAllowed({"MYROLE"})
@SecurityRequirement(name = "auth", scopes = {"auth"})
public Response getUserItems(...params...)  {
    /// my code

here my code is still executed, because Quarkus thinks token is okay. I need to add additional check in each endpoint to distinguish invalid tokens.

How to make Quarkus know token is bad?

question from:https://stackoverflow.com/questions/65849571/how-to-invalidate-jsonwebtoken-by-demand-in-quarkus

Answer 1

The JWT auth extension of Quarkus is only concerned with validation of the JWT token on the basis of its structure and signature. As you mention, the token is still valid even if you mark it as expired in your custom logic(if its expiration date is in the future). The token itself is completely unaffected by the fact, that you decided to treat it as invalid. Therefore the check, whether a technically valid token has been marked as rejected by your app must be done by your app logic.

One way how to make this check fairly generic, would be to assign unique id to each token(e.g. as claim), and keep track of valid tokens e.g. in a simple DB table. Then you can create a CDI interceptor or Jaxrs filter that would check, whether the token ID exists in your DB table, and if not would abort the request with 401. (You can ofcourse use your user table if all your tokens are only assigned to users).