How to invalidate or revoke jwt access token using Identity server 4 JWT authentication and Resource Owner Password grant?

Question

We have used JWT authentication scheme and resource owner password grant type with identity server. Backend is .Net core based micro services which is providing access token to angular based front end website.

As jwt token is not revocable and business requirement is to have longer access token lifetime, it seems only option is to have track of blacklisted tokens in database or cache.

Is there any way to modify the access token on backend and make it expire immediately when user triggers log out from frontend?

Answer 1

JWT cannot be revoked, it is by design as it is self-contained. Revocable alternative is Reference token which is not self-contained and thus server needs to actively communicate with identity server.

The compromise and common approach is to set access token lifetime to lower value and increase refresh token lifetime. Refresh tokens are revocable - it is supported by identity server 4 as well. So it is all about trade-off between the frequency of communication with your Identity server and long access token lifetime.

Answer 2

The JWT tokens are stored in the browser, so you can delete the cookie of it. But this option gives no security on the server side.

If you are worried about deleted/suspended accounts then yes, you have either to create a blacklist but you have to compare them for each request.

The other option is to reduce the expire times and rotate them. there is a post with more details here Invalidating JSON Web Tokens