Proper way to handle logout with Simple JWT in DRF

I implemented a logout functionality using Simple JWT in my application. I blacklisted the user's refresh token upon logout, and my JWT settings are as follows:

"ACCESS_TOKEN_LIFETIME": timedelta(minutes=1),
"REFRESH_TOKEN_LIFETIME": timedelta(days=1),
"ROTATE_REFRESH_TOKENS": True,
"BLACKLIST_AFTER_ROTATION": True,
"SLIDING_TOKEN_LIFETIME": timedelta(minutes=60),
"SLIDING_TOKEN_REFRESH_LIFETIME": timedelta(days=1),

However, when a user logs out and their refresh token is blacklisted, they are still authorized to access the system using their access token until it expires, which is set to 1 minute in my case. what can be done to make sure that the user is completely unauthorized upon logout.

What about revoking both the access key and the refresh key when a user logs out. In every subsequent request, I can check whether the access key is blacklisted in the database, and if it is, raise an exception. However, doing this would break the statelessness of JWTs, and I don't think a database would be a good choice for this. Instead, I might consider using something like Redis. Please let me know if I'm wrong.

Thank You 👍

[Chhunneng]

after you log out, request to refresh-token endpoint then the token will not be useable anymore. but it's just the temporary solution now

[skdishansachin]

I am facing the same issue that @ghost had. Is there any way to solve it?

thank you 😊

[expzhizhuo]

I have the same problem as you. Do you have a good solution

[skdishansachin]

Here is a clearer explanation of a possible solution to a problem: you can blacklist the access_token and refresh_token in Redis by using the token's unique identifier or JWT id as the key and setting an expiration time based on the token's lifetime. To ensure security, you can check if either the access_token or refresh_token is blacklisted in Redis before processing subsequent requests, and deny access if either is blacklisted.

Regarding the issue of statelessness of JWTs, I am not sure, but I don't think it is affected. If you need more information, you can check out https://stackoverflow.com/questions/52431850/logout-django-rest-framework-jwt.

[expzhizhuo]

@dishansa As I can see, his approach is to use a custom authentication class instead of using his own IsAuthenticated, which means I need to use a custom authentication class instead of my own authentication. But I don't want to rewrite the authentication. I want to use my own authentication

[skdishansachin]

@expzhizhuo I'm sorry, I'm having trouble understanding your message. Could you please provide some more information please?

[Darkbeast-glitch]

I have the same problem, now when the token is refreshed and added to blacklist , I am still able to access other endpoints that needs authorization with the same access token

[nikhilrizal]

as i guess we need to add custom decorator

[BESoft33]

Has anybody found a better way to deal with it?