Im trying to implement a Rest Endpoint that allows the user to log out of all devices the user is logged in.
I'm looking into a dynamically generated secret per user. Im currently trying some_global_secret + user_email + random_uuid as the secret.
to allow the user to login and logout of multiple devices. and if the user wants to logout of all the devices. all I need to do is just generate a new secret key for the user and all the remain tokens will now be invalid. if the user changes his or her password it will allow for both the ability to chose to logout only of the current device or logout all the other devices as well.
however a big flaw in this approach is I need to pass the user's email everytime to be able to decode the token.
what is the best approach to going about this? having a single secret for all the users will have more complex logic when it comes to logging out of all devices and its not as easy as just generating a new secret because that would log everybody out.
Im thinking of passing the encoded email as some kind of header and the client has to pass that header for all protected endpoints. is that a good approach?
any guidance would be greatly appreciated
Interesting idea.
You could extend your idea to a signed payload inside the JWT. Essentially a JWT inside a JWT. The outer JWT is signed with a common secret. The inner JWT is signed with a per-user secret. You validate the outer JWT (which gets you the user reference) and then you try and validate the inner JWT; if you can't (because the user's secret has been rotated out) then it fails.
The inner field wouldn't need to be another JWT necessarily; it really just needs to be something signed (e.g. HMAC) that you can verify with the current per-user secret.