Auth0 Home Blog Docs

Blacklisting tokens

jwt
api

#1

Looking for help in blacklisting tokens. I found this endpoint to handle this on Auth0’s side: https://auth0.com/docs/api/management/v2#!/Blacklists/post_tokens. However, Auth0 doesn’t provide the jti with tokens. I attempted to inject a jti into an access token and it didn’t work. So I’m wondering how this blacklist endpoint works.


#3

Hey there @rsanchez, we have some documentation on Blacklisting JSON Web Tokens below. Please let me know if this helps you in your search. If by chance it doesn’t, I’m happy to dig in deeper with you on the challenge. Thanks!


#4

Thanks for the response. I’ve read those articles. What isn’t clear to me is how to inject the jti into the access/web token. Auth0 generates these for us on authentication and won’t inject the jti into them.


#5

Can you share the code example that isn’t working in the stated scenario? Upon investigation I found another topic where a community user found success through the below:

access_token'https://example.com/jti'] = '[unique_id_here]';


#6

I wanted to follow up @rsanchez and see how everything is going? Please let us know if you have any questions you may need assistance with. Thanks!


#7

Yes, we can create a jti by adding ‘https://domain:jti’ instead of just ‘jti’. It’s just that some of the examples/articles i found indicated adding the jti field directly to the access token without the domain qualifier.


#8

We have this reference for setting the jti here on our Blacklists and Application Grants. I have included a sample from the article below:

Auth0-issued tokens are JWTs, so you can set the JWT ID, or jti , for the token by including it in the token payload’s jwtid field. With the jti in hand, you can make the appropriate POST call to the Management API’s blacklist a token endpoint. You’ll need to provide the JWT’s aud and jti claims.

Add a JWT ID

You can add jti via a rule. Here’s a simple example using UUID:

function (user, context, callback) {
  user.jti = require('uuid').v4();
  callback(null, user, context);
}

Did it help?Yes/No

Your call might look something like this:

curl -H "Authorization: Bearer {JWT_API_KEY}"
-X POST
-H "Content-Type: application/json"
-d '{"aud":"u6nnAxGVjbBd8etXjj554YKGAG5HuVrp","jti":"test-token"}'
https://login.auth0.com/api/v2/blacklists/tokens