Products Downloads


French version


 

JWT token revocation by the resource server is an additional security element.
Any token which is no longer needed despite still being valid must be revoked. This prevents users from maliciously identifying themselves to a service.
The revocation operation is performed via an explicit request to a dedicated web API.


Configuring revocation management

Revocation management is not enabled by default. To make it operational, a JwtRevokeConfiguration-type bean needs to be declared in the Beans.xml file.


jwtRevokeConfiguration
<bean id="jwtTokensRevocation" class="com.hardis.adelia.webservice.JwtRevokeConfiguration" init-method="loadTokensMap" destroy-method="saveTokensMap" />
      
or 

<bean id="jwtTokensRevocation" class="com.hardis.adelia.webservice.JwtRevokeConfiguration" init-method="loadTokensMap" destroy-method="saveTokensMap">
      <property name="jwtClaimId"               value="???"/> <!-- default value: jti -->
      <property name="jwtPurgeFrequencyTime"    value="???"/> <!-- default value: 3600 -->        
</bean>



  • jwtClaimId: Name of claim identifying the JWT token. Default value: "jti". This information is only useful if you wish to know whether a token, identified by its ID, has been revoked.
  • jwtPurgeFrequencyTime: Purge frequency, in seconds, of the revoked token table. Default value: 3600. To be adapted according to the token validity period.


Who can revoke a token?

The token can only be revoked by a request authenticated by the same token.


Revoked token table persistence

The revoked token table remains after the resource server has been restarted.


Revoked token table purge

The revoked token table is purged at a specific frequency (every hour by default. See jwtPurgeFrequencyTime). Revoked tokens which have expired are purged.


Web APIs

Objective
API access point
HTTP verb
Response
Status 

Revocation


/<ContextPath>/<CXF_url-pattern>/tokens/revocation

@DELETE 

Media-type: text/plain
Values: true | false 

200 
401
404 

Is the jwtId token revoked?


/<ContextPath>/<CXF_url-pattern>/tokens/revocation/{jwtId}


@GET 

Media-type: text/plain
Values: true | false


200
401
404

List of revoked tokens

/<ContextPath>/<CXF_url-pattern>/tokens/revocation/list


@GET 

Media-type: application/json

[ { "jwtId": "TokenId__FE706DC72E90060E9E88FB887ACB72E1_25_1619685311434", "revokedBy": "userName", "revocationRequestDate": "2021-04-29T08:35Z", "expirationDate": 1619688911 }, { "jwtId": "TokenId__FE706DC72E90060E9E88FB887ACB72E1_28_1619685265807", "revokedBy": "userName", "revocationRequestDate": "2021-04-29T08:35Z", "expirationDate": 1619688865 } ]

200
401
404



HTTP Code:

  • If the operation is successful: HTTP Code = 200

  • If the operation fails because the revocation request is not authorized: HTTP Code = 401

  • If the JwtRevokeConfiguration bean is not declared (= revocation not active) or if the requested token is not found: HTTP Code = 404.


Example of token revocation - Adelia code
EXECUTE_HTTP *URL('http://mysite/mawebapp/ws/tokens/revocation') *OPTIONS('--request DELETE --header Accept: text/plain --header Authorization:JWT <jwt_token>') *RESPONSE(VarRetCode) *HTTP_CODE(VarHttpCode)
Note: "<jwt_token>" corresponds to the token value

Top of page


  • Aucune étiquette