问题描述

我通过在自定义登录API中生成JWT(JSON Web令牌)来在Azure移动服务中使用自定义身份验证.用户拥有JWT后，它才有效，直到达到其编码的到期时间为止.

I'm using custom authentication in Azure Mobile Services by generating a JWT (JSON Web Token) in a custom login API. Once a user has a JWT, it's valid until its encoded expiry time is reached.

除了在每个经过身份验证的请求上针对会话表显式检查JWT令牌之外，还有一种方法可以在JWT令牌到期之前(如用户注销时发生)使JWT令牌无效，以使使用该令牌进行的任何后续请求X-ZUMO-AUTH标头中的值永远不会到达任何表API或自定义API脚本?

Beyond explicitly checking the JWT token against a sessions table on every authenticated request, is there a way to invalidate the JWT token before its expiry time (as would happen when a user logs out) such that any subsequent request made with that token as a value in the X-ZUMO-AUTH header would never reach any table API or custom API scripts?

推荐答案

不是.当用户从客户端注销时，它使用的JWT并没有真正失效-只是从客户端的内存中删除了(请参阅托管的SDK ).通过对照移动服务的主密钥检查其签名来完成JWT验证，除非更改此密钥(否则将使您服务的JWT令牌的 all 无效，我认为这不是您所需要的)想要)，令牌将一直有效直到过期.

Not really. When a user logs out in the client the JWT it uses isn't really invalidated - it's just removed from the client's memory (see the code on the managed SDK, for example). The JWT validation is done by checking the its signature against the mobile service's master key, and unless this key is changed (which would invalidate all of your service's JWT tokens, which I don't think is what you want), the token will be valid until it's expired.

由于您自己生成了JWT，因此可以考虑使用更短的到期时间，这可能对您有所帮助.

Since you're generating the JWTs yourself you can consider using a smaller expiration time which may help in your case.

您还可以在移动服务的反馈论坛中建议此功能.有我创建的一个相关功能建议，您也可以考虑在其中添加评论并投票.

You can also suggest this feature in the mobile service's feedback forum. There's one related feature suggestion which I created, you can also consider adding a comment to that and voting it up.

这篇关于注销/使JWT无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！