A commonly asked question on the Apigee community has been how can JWTs be revoked or blacklisting be applied. If you've already read Dino's interesting point of view on this topic and are still looking at implementing a solution, this example looks at implementing blacklisting using Google Cloud services - a Cloud Function implementation that is backed by Memorystore which provides a fully managed in-memory data store which we will use to track which ids are flagged.
Architecture
This solution does the following within the Apigee API Proxy
Some important optimization notes on the above:
3. The example Cloud Function is implemented in Node.js using the redis package to interact with Memorystore.
I'm using the increment operation rather than set for flagging an id as it offers the highest performance according to the benchmarks provided, along with the exists operation.
The example cloud function code is available here.
Cloud Function Interface
The Cloud Function supports the following
This will return an empty response with 204 status code if the id has been blacklisted, otherwise a 404.
This will flag the given id and return a 201 status code if the id has been blacklisted, or 204 if it was already blacklisted.
Example
This API Proxy, and the cloud function source code can be found here. The API Proxy has been implemented with shared flows for getting a token from Google Cloud and calling the Cloud Function.
The example relies on encrypted KVM entries for the service account credentials and the url for the cloud function should be updated in the proxy.
Multi-region support
The above example suits a single region Apigee instance. For multi-region customers that are latency sensitive they would need to adapt the solution. For example, as Memorystore is not a multi-region solution, additional Memorystore instances would need to be configured in additional regions as required. The Cloud Function could then update all Memorystore instances simultaneously when an id is to be blacklisted and the lookup could then be done using the closest Cloud Function and Memorystore pair.
It is a great article @dane knezic.
There was another community post from Dino talking about invalidating/blacklisting JWT tokens using Apigee Cache,
I did not find the post, but attached is a sample implementation.
What are your views on using Memorystore and what pros does it bring when compared with Apigee Cache Policies?
Hi Sid
The cache doesn't provide consistency immediately which may be a requirement for this type of use case, and for a multi-region configuration a custom approach like this can give you more control.