JWT Revoke Feature ------------------ Key: WFLY-13801 URL: https://issues.redhat.com/browse/WFLY-13801 Project: WildFly Issue Type: Feature Request Components: Security Affects Versions: 20.0.1.Final Reporter: Paulo Cesar Silva Reis Assignee: Darran Lofthouse Priority: Major Hi,   We've been working with JWT using Elytron and we would like to know why there isn't a way to REVOKE tokens. Reading the documentation it seems elytron doesn't provide a way to double-check whether that valid JWT still has access to the application. If a class could be instantiate and a method called, the application could validate it, returning a boolean (indicating whether the user can proceed) or throwing an exception when permission is denied. If such feature isn't present, even though we blacklist the token (logging him out), the user already logged in and that can be a security breach.   Something like this would be great: {code:java} /subsystem=elytron/token-realm=app-realm:add(jwt={issuer=["issuer"],audience=["app"],key-store=app.ks,certificate="alias", validator="com.validator.TokenValidator"},principal-claim="sub"){code}