added Outstanding tokens to Blacklisted tokens but token still working

[Goathemis]

hello i added 'rest_framework_simplejwt.token_blacklist', to INSTALLEDS_APPS then run python manage.py migrate. The outstanding tokens and blacklisted tokens display on django admin. i try to authenticated . the authenticated token added in outstanding tokens after that i added token to blacklisted tokens token still work.

[triplaj]

if used jwt then "refresh-token" is placed on the blacklist (blacklisted/logged out). If the refresh token is used, it is rejected, but the access token still works until its expiration time, as the access token is never checked against the blacklist (which is probably purpose because only refresh tokens are in blacklist checking, access tokens goes through without blacklist inspection).

[jdejoode]

Not sure whether this is a bug or intended behavior. I can confirm that blacklisting works on the refresh token and not on the access token of a token pair. That means the access token remains usable until it expires. It would be nice to have a method that invalidates the access token.

[jdejoode]

Relevant: https://github.com/jazzband/djangorestframework-simplejwt/issues/713#issuecomment-1614293564 @tpotjj argues that the access token should be short-lived and hence might not require invalidating