|
|
|
|
|
|
by oautholaf
1361 days ago
|
|
|
In my experience, a working strategy for handling signout or revocation for statically verifyable tokens like JWT is straightforward: - Clear client side state where you can.
- Write signed out/expired tokens to something with a cheap heavy read/eventual consistency model
- Fail to signed in if unavailable
- Acknowledge that you are gaining latency/availability/
lower costs by trading some precision I am aware of a very large website most folks use every day that did this for more than a decade and it worked fine. |
|
|