lexik
Possibility to define additional identity fields for easy token revocation / logout
Would be awesome to get the possibility to define additional identity fields in lexik_jwt_authentication.yaml, e.g. something like that:
lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
additional_identity_fields: [password, updatedAt, tokenSalt]
After changing password/updatedAt/tokenSalt the tokens get invalid -> revocation solved.
May it's not the best idea to send the hashed password in the token payload (such information can still be used for attacks), but we can harden it a bit up, e.g. by creating a hash over all configured identity fields (more defined fields -> better salt). Example configuration:
lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
additional_identity_fields: [password, updatedAt, tokenSalt]
additional_identity_hash: true
or just hashing by default...
I think this is the easiest way to revoke exposed tokens. Currently we can also use iat for expiration check (increase date of a field e.g. tokenValidSince and check against iat, but an automatic way implemented into core would be awesome.. :-)
