Access token does not invalidate after revoking

I am using jwt authentication in my app. I am generating the access token and refresh token for user using below code-
let token = await auth.withRefreshToken().attempt(email, password)

This generates the tokens as below -

"type": "bearer",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE2LCJpYXQiOjE1NzE4ODg2NDB9.b9Cimil8erJ9GQx0uFf8ir44gzPQ4b3Z0c72OsGcy1k",
  "refreshToken": "42b74c4121d7539f15b00c739971a20fqin+Lj8PdqRMta5P88RPDn0tzLiS/lNcyyokdqHfNFJ/R5hw5uQ/WhE8DzloRq4b",

From the above output, I pass on the access token as the bearer flag to fetch the user details, which works perfectly fine for correct token. But for after logout, it does not revoke and keeps returning the correct results with the above token. The code for logout functionality is as below -

const token = auth.getAuthHeader()
return await auth.revokeTokens([token])

I did try with all the revoke methods given in documentation, but none of them gives me expected results.

1 Like

Hey @Digvijay! :wave:

It doesn’t work because you cannot revoke an access_token since the server doesn’t store it.

This is how JWT work, if you still wish to be able to revoke the JWT (which would be in my opinion wrong and may mean you have an architecture issue) you can create a blacklist.

If you want more information about this there’s many post about this on the forum.

1 Like