Our app authenticates by leveraging JWT’s based on the helpful blog by @Matti .
There are two cases where we’d like to invalidate all JWT’s for a user:
- Whenever a user logs out.
- Whenever a user changes their password.
The blog and accompanying comments suggest blacklisting, possibly along with a servlet filter, which seems like a reasonable approach. That seems predicated on maintaining a cache of active JWTs, and applying the filter appropriately. Working upstream one step, we’d like to intercept each JWT as it is issued and persist it to the cache. JWT creation appears to occur in the JwtSecurityContextRepository class, so our current idea is to author our own CustomJwtSecurityContextRepository.
Is this the correct approach to take? Wouldn’t be the first time I’ve embarked on a 10x-too-complicated-coding-odyssey. Is there a simpler out-of-the-box solution?
@marcoc_753 … You’ve had great advice in the past which means your reward is getting tagged 