How to invalidate a JWT Token after Verify

abhinabanag92
Participant III

I want a JWT-token to be used only once and post verification I want to invalidate it, so that, each time caller has to generate a new JWT-token.

I have already set its expiry time to be 5mins, while generating it.

Note: cannot apply quota policy set to 1call per 5mins to achieve this, as there might be more than 200 calls in 5mins.

Please advise.

Solved Solved
2 1 510
1 ACCEPTED SOLUTION

kctreacy
Participant I

The JWT specification defines the 'jti' claim for this exact purpose. The 'jti' claim serves as a 'nonce' that can be used to prevent replay attacks / enforce "one-time" use of the JWT.

Note that you do not explicitly invalidate the JWT. Instead you put controls in place to track what JWTs have been previously used and then reject requests that attempt to reuse a JWT.


To accomplish this you will need to use the Apigee provided get/put cache policies to track JWTs. Additionally you must consider in your design if the client will explicitly specify the 'jti' claim. If not, then you must compute one server-side. One technique is to hash the JWT.

Refer to the following article that discusses this in detail:

https://community.apigee.com/questions/56910/with-verifyjwt-how-can-i-insure-that-a-jwt-is-used.html

View solution in original post

1 REPLY 1

kctreacy
Participant I

The JWT specification defines the 'jti' claim for this exact purpose. The 'jti' claim serves as a 'nonce' that can be used to prevent replay attacks / enforce "one-time" use of the JWT.

Note that you do not explicitly invalidate the JWT. Instead you put controls in place to track what JWTs have been previously used and then reject requests that attempt to reuse a JWT.


To accomplish this you will need to use the Apigee provided get/put cache policies to track JWTs. Additionally you must consider in your design if the client will explicitly specify the 'jti' claim. If not, then you must compute one server-side. One technique is to hash the JWT.

Refer to the following article that discusses this in detail:

https://community.apigee.com/questions/56910/with-verifyjwt-how-can-i-insure-that-a-jwt-is-used.html