Why can't JWT refresh tokens be revoked?

Question

I'm currently trying to wrap my head around JSON Web Tokens, and to make sure I'm not shooting myself (and my users) in the foot. Thus, I came across the post Stop using JWT for sessions and, more specifically, the rebuttals to counterpoints.

One of the counterpoints is that the inability to invalidate tokens can be combated by setting a short expiration time and use refresh tokens to allow the user to fetch new tokens without having to login again. The rebuttal to that is that "you can't revoke the long-term tokens, which means you're back to square one."

How come you can't revoke the long-term tokens? Wouldn't they need to be passed to the authentication server, which can check a list of invalidated tokens (or simply have deleted the refresh token from its database) and then not supply a new JWT?

Answer 1

A refresh token can perfectly be revoked. The authentication server issues a long term refresh token to each client and must keep track of it in order to validate the refresh request.

The refresh token does not have to be a self-contained JWT and therefore must be stored on server. The server associates the refresh token to the client account and simply delete it so that the next refresh request requires a new end-user authentication.

This is a sample authentication response which includes a refresh token of OpenIdConnect(an Oauth2 extension)

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{
 "access_token": "SlAV32hkKG",
 "token_type": "Bearer",
 "refresh_token": "8xLOxBtZp8",
 "expires_in": 3600,
 "id_token": "eyJhbGciOiJSUzI1NiIg..."
}