Logout API does not revoke the access_token about fusionauth-python-client HOT 6 OPEN

We do not yet have an implementation of JWTManager for python, you are correct. You could translate the JWTManager javascript code into python, which would be on option. We welcome pull requests :) .

from fusionauth-python-client.

The original question seems to be specifically how to revoke an access token (not a refresh token). Although the original question states that the desired behavior can apparently be achieved via the JWTManager, I am unable to find how the JWTManager exposes functionality for revoking or invalidating an access token.

How does one go about revoking an access token? Either with the JWTManager ... or regardless of the client, what would be the correct API call to do this?

from fusionauth-python-client.

@scott2b

You can't explicitly revoke an access token in FusionAuth. We don't support RFC 7009: https://www.rfc-editor.org/rfc/rfc7009.html and based on the number of upvotes for this, I don't know if the community wants us to: FusionAuth/fusionauth-issues#201

So, if you want to have an access token become invalid, you have to manage it yourself. That is what is outlined in the articles @tanwirahmad mentions. The process is basically:

• set up webhooks to fire to all the resource servers when a refresh token is invalidated (when the user logs out)
• listen for that event, and when it occurs, record the user with the invalid token in the resource server (in redis, db, etc)
• next time an access token is presented, verify that it is not for a user who has logged out

If you want to handle the case where a user logs out, then logs back in quickly, then the time based logic in the Webhooks section here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts needs to be implemented.

Hope this helps.

from fusionauth-python-client.

This is very helpful. Thank you for the quick response. While I was poking around at this, I also ran across this discussion which seems relevant and illuminating: FusionAuth/fusionauth-issues#25

Particularly, the whole thing JWTs are meant to be portable and are not persisted server-side switched on a lightbulb for me. But it also raises the question of whether they should be used in a standard application session-oriented auth workflow, as seems to be implied, e.g. in the the example Flask client here. While the example does not explicitly keep track of user sessions, it would be the natural next step (and the one I am trying to solve now).

So I sort of think maybe using the JWT API for this is not the right approach? But then is there another mechanism provided by the FusionAuth API? As far as I can tell, this is just how FusionAuth works by virtue of the fact of using JWTs as oAuth tokens.

from fusionauth-python-client.

@scott2b I suggest you take a look at these login flows. They walk through all kinds of options: https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows

You can also post in our community forum, slack or open a support ticket (if you have support). All of these will get you a better response than posting on a client library issue (your current experience notwithstanding :) ).

from fusionauth-python-client.

Thank you for this link. I appreciate the detail spelled out here.

from fusionauth-python-client.