JWT Authentication and user validation

Question

I'm not sure I fully understand the concepts of how a proper JWT Authentication must work. I have found an article about JWT Authentication where author talks that:

  ..the token is self-contained, so the client just need to resend to the server for each request, and the server just have to check the signature to ensure its validity. No more useless call to database or LDAP.

I'm a little bit concerned about phrase- No more useless call to database or LDAP

But how to check for example that the User is still exists in the system or User has not been banned and this token has been early expired ?

Looks like I definitely need to make a call to database or LDAP in order to get this information and to compare it with info inside of JWT token. isn't it ?

Answer 1

You are correct that if you MUST check this on every call, you will need to query the database or call the authorization server.

But the point is that JWT tokens should have a short enough lifetime that you should not have worry about this.

If the token expires every hour, and the user is deleted or banned, he/she will only have access to the APIs for at most another hour (or whatever the token lifetime is). Then the client needs to renew the token and figures out that the user is no longer valid.

Not having the query the database or call a service for each token validation will make your service scale much better. It also removes a single point of failure (auth DB or service down).