Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can JSON Web Tokens (JWT) be rejected or blacklisted if a user wants to sign out of an account from a different machine?

Tags:

jwt

express-jwt

I'm building an app that requires authentication and I'm worried users might want to be able to remotely log out. Is there a way to use JSON Web Tokens and be able to blacklist or reject them? I understand that their benefit is statelessness, but it would be nice to have a remote logout.

EDIT: With Express.js using the express-jwt module, there is a method to revoke tokens. Also, there is a module express-jwt-blacklist. I still don't understand how these strategies work and would like to know what is the best practice at this point.

like image 751
Adam S Avatar asked Oct 19 '22 12:10

Adam S

1 Answers

There is a nice article on Auth0 about Blacklisting JSON Web Token API Keys where they give a good real world example on how to blacklist a JWT API key so it is no longer valid. You should give it a read.

Framing the problem

Providing support for blacklisting JWTs poses the following questions:

  1. How are JWTs individually identified?
  2. Who should be able to revoke JWTs?
  3. How are tokens revoked?
  4. How do we avoid adding overhead?

This blog post aims to answer the previous questions by leveraging our experience from implementing this feature in our API v2.

The article breaks down each point and then shows some example code on how to achieve it and concludes with:

Most of the aforementioned content applies to blacklisting JWTs in general, not just JWT API keys.

Hopefully this blog post has provided some useful ideas on how to tackle this problem.

I've personally applied similar methodologies to revoke multiple sign ins where the tokens were used similarly to session ids and stored in cookies. I modeled it like the GitHub profile section where you the user can see all your other active sessions and revoke them (remote sign out) when needed.

As far as best practice is concerned, I believe that topic would be rather opinion based. I do however see Auth0 as source of good practices in this topis area with a lot of people experienced on the matter.

UPDATE:

Found this express-jwt plugin for token blacklisting on npm

like image 145
Nkosi Avatar answered Oct 21 '22 23:10

Nkosi
Sign in to Comment

Related questions

Secure JSON Web Token in Web API / MVC 6
Prefix OAuth properties ? i.e. as:client_id
Identity Server 3 Access Token Validation endpoint fails with Audience Validation Failed
PHP: How to Logout From API using JWT
Add a swagger annotation for bearer auth
Generate JSON web token (JWT) with a private key

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!