Azure APIM token revocation (logout)

0
votes

We have a multiserver system with an Azure API Management service facing the client.

Our identity service is proprietary and generates regular JWT tokens. The token has an expiration date, so we automatically throw an Unauthorized error when the client sends after expiration. Everything working OK.

Now, if the user logs out, we remove the token from the client application and therefore is forced to login again for keep working with the backend.

But the fact is that, being the JWT still valid, it can be reused by any client application until it expires. So, we are looking for a standard token revocation mechanism in APIM, because it would be very costly to have a revocation list on every internal server behind it.

The concrete question is: Is there any "blacklist" functionality in APIM where we can add the revoked tokens (due to, logout)? Is there an API for that?

1
azure-web-app-serviceazure-api-management
No indeed. Sorry. The posted answer proposes to add a 3rd party product rather than using an existing APIM or Azure functionality - Jaime

1 Answers

0
votes

You can blacklist JWT token by integrating auth0 with APIM.

Revoked tokens

var jwt = require('express-jwt');
var data = require('./data');
var utilities = require('./utilities');

var isRevokedCallback = function(req, payload, done){
  var issuer = payload.iss;
  var tokenId = payload.jti;

  data.getRevokedToken(issuer, tokenId, function(err, token){
    if (err) { return done(err); }
    return done(null, !!token);
  });
};

app.get('/protected',
  jwt({
    secret: 'shhhhhhared-secret',
    algorithms: ['HS256'],
    isRevoked: isRevokedCallback
  }),
  function(req, res) {
    if (!req.user.admin) return res.sendStatus(401);
    res.sendStatus(200);
  }
);

You can refer to Get Started with JSON Web Tokens, Adding JSON Web Token API Keys to a DenyList , and How to invalidate a JWT using a blacklist