Logging out #178
Comments
|
@nowakov that is what I have been doing for now (just removing the token from the front end). Any chance you ended up with something different? Does seem like a valuable feature for the library. |
|
Logout is not supported in a stateless token library like knock. You'll have to save the valid tokens in database, check before every request server-side, and delete the token server-side in logout. |
|
I agree we can't do session expiration in stateless token, but I think it could be a good idea to set |
|
Hello, By definition, once a JWT is generated, it can't be changed anymore, so I see this more related to the client (to drop existing token on logout) than the server that provided the token. Conceptually talking, any expiration control you add in the API will turn it not stateless anymore, which is a core concept of Knock. So, the client may keep the token, control permissions for it and prevent it from being leaked... Perhaps, concerning the server-side configuration, we should not create too-long-expiration tokens... Well, just some opinions :) I'm closing this issue now, since it was well explained already. Thanks! |
First thing, thanks for a great library. It works really well for us. I'm wondering, though, what's your suggested solution for logging out? I guess I can just remove the token on the front end side, but isn't there a way to send "expire now" info, so the token won't be valid anymore?
Cheers!
The text was updated successfully, but these errors were encountered: