Reputation: 29557
Invalidating JWTs on sign out?
I'm new to JWT and was wondering if it is possible to invalidate/void JWTs on the server-side when a user signs out of an application (I'm also wondering if it even makes sense to do so!). Idea is:
- User clicks a sign out link in their app
- App makes a call to
POST https://api.myapp.example.com/auth/invalidate - The JWT (which is an authorization/bearer token in the HTTP request header) is somehow invalidated
- Now, no one can ever use that JWT again
I'm not sure if this is an unorthodox approach to signout logic or not, or whether its acceptable to just let the JWT linger as valid, even after the user signs out (I guess I could shorten the life of the JWT expiry to, say, 60 mins or something).
So again: wondering if its possible to do this kind of "invalidation" using (and if so, how?!) as well as whether it even makes sense to do this (and if not, what does a typical signout flow look like?!). Thanks!
Upvotes: 3
Views: 961
Answers (1)
Reputation: 131067
Besides the token expiration date (stated in the exp claim) I can think of a couple of ways of invalidating a JWT token:
Changing the key
The first approach requires changing the key used to sign the token on server side, but it doesn't seem to be practical for the situation described in your question.
Whitelisting the token identifiers
Another approach (and probably the one that suits you better) involves keeping the track of the token in a whitelist on server side.
When issuing a token, use the
jticlaim to store a unique identifier in the token. Also add this unique identifier to the whitelist on server side.When validating the token (besides checking the signature, the expiration date and other claims you may need to), ensure that the value of the
jticlaim is whitelisted.When a user requests to invalidate the token, remove the token identifier from the whitelist.
For the token identifier, you can use UUIDs.
JWT allows you to perform stateless authentication (once you validate the signature, you can trust the token and then perform authentication without depending on external entities). The whitelist approach is a trade off, in case you need to track the tokens you have issued.
Upvotes: 4
Related Questions
- Can I force a logout or expiration of a JWT token?
- Action on endpoint /logout for JWT with refresh tokens
- JWT authentication: How to implement logout?
- How to prevent log out users when changing JWT secret?
- How to logout with JWT
- How to invalidate JWT token after the user is not being active for amount of time
- JWT User Invalidating the token on logout
- Invalidating client side JWT session
- Usage of JWT after logout
- JWT logout feature without using blacklist?