Revoke access token if password is changed #141
Comments
|
Access tokens, by definition can not be blacklisted. There is no database hit to check access tokens. Only basic decoding/encoding. |
|
a lot of thanks for you!
…On Sat, Dec 14, 2019 at 6:10 PM Adwait Thattey ***@***.***> wrote:
Access tokens, by definition can not be blacklisted. There is no database
hit to check access tokens. Only basic decoding/encoding.
You need to blacklist corresponding refresh tokens. The expiry time of
access tokens should be reasonably small so that anyone who gets access
token can use it only for a short duration without the refresh token.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#141>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEUGRUPMVH6YKNIVIHYIMFLQYTV5NANCNFSM4IGMWVGQ>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If the user changes his/her password, the old access tokens can still be used until it expired.
How to make access tokens invalid if username or password is changed. #59 !
I built a multi-platform project that I need to logout users from other devices after changing their password
also revoking access token when a user logout. thanks
The text was updated successfully, but these errors were encountered: