API Connect

API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

How to avoid use of JWT token generated by Third Party Provider after Logout cases

  • 1.  How to avoid use of JWT token generated by Third Party Provider after Logout cases

    Posted Mon February 17, 2025 11:02 AM
     
    Hi, 
    We are looking for solution, we have case here where we are getting JWT Token from TPP server using RSA256 public and private key concept.
    Work flow will be like:
    1. Mobile Logins using UserName/Passowrd through api connect to tpp auth server
    2. TPP auth server authenticate username and password and generates JWT token with claims.
    3. Moblile user sends JWT token in every request of any service to api connect( request can be fetch card details, or any paymetns)
    4. API connect validates jwt token with public key, checks exiry time, issuance, audience and signature. If successfull validation api connect sends request backend sysetms.
     
     
    As above workflow shows validation of jwt tokens and send request to backend as it is working as it. 
    Problem statement: In logout scenario JWT tokens are stateless and it is just verified at api connect level. Please suggest any solution where we can blacklist or store jwt token at api gateway level.
    also we are looking for suggestions to handle  above workflow.
    Thanks,
    Regards
    Deedar


    ------------------------------
    Deedar Ali Brohi
    ------------------------------


Related Content