Last post Nov 20, 2018 03:02 AM by Nan Yu
Nov 19, 2018 11:45 AM|farhanahmad212|LINK
In Token based authentication in API.
Suppose i have login with valid credential and created first token and it expiry time is one day and kept this token.
The i have logout and re-login with valid credential and created second token and it expiry time is one day and kept second token.
Can we access resources from first token before expiration and if no then how first token is validated that it is not valid token now. because token are not store at server site. token have encrypted information of user and expiry time but not stored on
Any one has any idea about this.....
Nov 19, 2018 12:37 PM|mgebhard|LINK
The client application is responsible for saving the token. You're client application will need to store both token which is unusual. Whether the first token works or not is dependent on how your code works which we cannot see.
Nov 19, 2018 01:32 PM|farhanahmad212|LINK
Nov 19, 2018 02:03 PM|mgebhard|LINK
We knew that we will kept at client side. But I want to knew that how server will validate my first token as in valid if server is not storing any thing..
Again, we cannot see your code. Only you can answer this question.
How does your server validate tokens currently? What kind of token are your using? What protocol are you using?
Nov 19, 2018 03:09 PM|bruce (sqlwork.com)|LINK
the typical server validation is to check the expiration and signature. if you want more you will need to code it. you could keep last logout time in the token and verify on every request.
Nov 20, 2018 03:02 AM|Nan Yu|LINK
Hi farhanahmad212 ,
As @Bruce said , server side validation usually is checking token's expire time , signature , issuer . Once the user obtains access token he’ll be able to access the server resources as long as his access token is not expired, there is no standard
way to revoke access tokens unless the Authorization Server implements custom logic which forces you to store generated access token in database and do database checks with each request.