Blacklisting JWT token


#1

Is there a way to invalidate/blacklist JWT tokens TYK level?

I know that the token issuer(our service )can invalidate them but is there a way to inform TYK about an invalidated/blacklisted token?

I know we can achieve something with an OpenId Connect scheme, but currently we want to try to make it work with just plain JWT.


#2

There is a way, but it’s non-intuitive:

All JWT tokens generate an internal token representation in Tyk based off a hash of the underlying ID claim (e.g. sub), you can grab it from the header by using a global injection rule for $tyk_meta.TykJWTSessionID, you can then invalidate this token (i.e. set the is_inactive flag to true in the session state object).

What happens here then is that the sub is blocked, and any and all JWT tokens they get generated for them.


#3

Hey @Martin

To could you elaborate on that?


Authorizing to Dashboard REST Api
#4

Sure,

Each JWT goes through this process within the gateway (option 1), which essentially causes the sub field to be transformed into an internal representation of the JWT holder, and then policies, ACLs and rate limits are hung off that identity instead of the JWT. This allows us to track an identity (the underlying user) across JWT refreshes.

Since there is an internal token that gets generated to identify the user, that token’s various session options can be used to manage the user, e.g. to block them across JWTs. A special case with JWT and OIDC is that this internal token ID is then added to this token as metadata so that it can be retrieved / audited later.

To do this, you need to get an idea of what this internal token is, to do so, you can use the global header injector, and injecting the meta_data associated with the underlying token into the headers list as something you can trap / log.

The specific key for this JWT internal token ID is: $tyk_meta.TykJWTSessionID, by adding this as a header value, you can trap / log the offending token ID, and then use the Dashboard REST API (viz. “Get a specific key”) to modify the session object, in this case you want to set the is_insactive flag to true.

Once you PUT this token data back into the dashboard, the JWT will be blocked.


#5

@Martin - Is there any way I can do this via Tyk Rest API (not Dashboard REST API)?

The URL http://tykhost/tyk/keys/id gives me the session object. I just change the is_inactive flag to true and retrieve the session object again via above URL it correctly shows as true.

But again when the request comes with the above JWT/session id it resets the is_inactive to false.
I hope the Dashboard API underlying calls the gateway REST API.


#6

The dashboard uses the Gateway APi for this, so it wouldn’t change anything.

It’s odd that the change is reset when the token comes in, it implies that it is being recreated each time instead of using the cached version.

We’ll need to try and replicate.