The token blocklist relies on the jti claim, a standard claim designed for tracking and revoking JWTs. "jti" (JWT ID) Claim
The blocklist storage utilizes a cache implementing Psr\Cache\CacheItemPoolInterface. The cache stores the jti of the blocked token to the cache, and the cache item expires after the "exp" (expiration time) claim of the token
To configure token blocklist, update your lexik_jwt_authentication.yaml file:
# config/packages/lexik_jwt_authentication.yaml
# ...
lexik_jwt_authentication:
# ...
# invalidate the token on logout by storing it in the cache
blocklist_token:
enabled: true
cache: cache.appEnabling blocklist_token:
- Adds a
jticlaim to the payload via LexikBundleJWTAuthenticationBundleServicesPayloadEnrichmentRandomJtiEnrichment passed as an argument to the LexikBundleJWTAuthenticationBundleServicesJwtManager - activates the event listener
Lexik\Bundle\JWTAuthenticationBundle\BlockJWTListenerwhich blocks JWTs on logout (Symfony\Component\Security\Http\Event\LogoutEvent)
or on login failure due to the user not being enabled (Symfony\Component\Security\Core\Exception\DisabledException)
- activates an event listener
Lexik\Bundle\JWTAuthenticationBundle\RejectBlockedTokenListenerwhich rejects blocked tokens during authentication
To block JWTs on logout, you must either activate logout in the firewall configuration or do it programmatically
by firewall configuration
programmatically in a controller action
Refer to Symfony logging out for more details.
To change the blocklist storage, refer to Configuring Cache with FrameworkBundle
# config/packages/framework.yaml
framework:
# ...
cache:
default_redis_provider: 'redis://localhost'
pools:
block_list_token_cache_pool:
adapter: cache.adapter.redis
# ...
blocklist_token:
enabled: true
cache: block_list_token_cache_pool