Help with blacklist for jwt compromised

Hi there, is it possible to create a JWT blacklist for the below scenarios, if so how?
1, jwt is compromised
2, used being deleted by the admin
3, info in the JWT is updated by the admin such as roles

I have been googling and spent the whole day reading through blogs, unfortunately, there are very few articles describing this scenario. Some mentioned to resolve this issue by leveraging mixer, nevertheless I know Mixer adaptor is going to be deprecated soon.

We’re solving this issue using the Envoy ext_authz built in filter type combined with a service that stores blacklisted tokens and returns a 403 if the token is invalid.

@YangminZhu could you take a look and share any workarounds?

You can also use AuthorizationPolicy with deny action, for example, you can deny JWT token with claim “user: admin1” on the ingress gateway with the following policy:

kind: AuthorizationPolicy
  name: deny-jwt
  namespace: istio-system
      app: istio-ingressgateway
  action: DENY
    - key:[user]
      values: ["admin1"]