我的书签
添加书签
移除书签Revocation
Users are revoked by public key and time. Access to an export, called an activation, can be revoked for a specific account at a specific time. The use of time here can be confusing, but is designed to support the primary uses of revocation.
Let’s look at an example. Suppose you created a user JWT with access to the subject “billing”. Later you decide you don’t want that user to have access to “billing”. Revoke the user, say at noon on May 1st 2019, and create a new user JWT without access to “billing”. The user can no longer log in with the old JWT because it is revoked, but they can log in with the new JWT because it was created after noon May 1st 2019.
Both add commands take the flag --at which defaults to 0, for now, which can be used to set the unix timestamp as described above. By default revocations are at the current time, but you can set them in the past for situations where you know when a problem occurred and was fixed.
