We are trying to follow this code base for our Spring REST based application. spring-boot-jwts
The issue is that we are not able to remove the JWT token during logout from server. When we checked on net we came to know only approach for this is Blacklisting the JWT tokens as given in this Blacklisting. Is it so?
We are bit new to token based authentication, please let us know if there's a solution like expiring the token on logout calls or something.
We'll also want to generate a refresh token to maintain the same user session (refreshing the expiration) as long as they're logged in. Once they're logged out, we can let the JWT token expire, and invalidate it. That being said, we'll need to map a device as well as the refresh token to a user's session.
This claim provides a unique identifier for the JWT. When a JWT is manually expired you insert the jti into a blacklist. The value should persist into the table until the natural expiration of the token. Now, for each request should also check if jti inside the table; if it's found the access is denied.
You cannot manually expire a token after it has been created. Thus, you cannot log out with JWT on the server-side as you do with sessions. JWT is stateless, meaning that you should store everything you need in the payload and skip performing a DB query on every request.
Long story short
, you have to build a mechanism to delete or invalidate a token manually
on logout.
The question you should ask yourself is
The above question will not necessary solve your logout
issue because, you still need a mechanism to invalidate
a token that is stored or not stored in database
.
One of the benefits of not storing
the token in database is that you don't have to worry about deleting
them when (no maintenance or some clean up process)
password
flow, let's not cover other flows
) roles and permissions are downgraded or upgraded in database and hence, what's inside jwt is outdatedI am sure you are using the verify
endpoint and it's purpose is to validate whether a token is valid
or not but, will not necessary check all the above scenarios which means you have to either
verify
workflow to add more custom checks
ORverified
for signature validity
, expiry time
, and some other default checks
you can run your own custom checks
and if your custom checks
passed then proceed otherwise you shall not pass!
Well, besides blacklisting
you could do something as follow
Simply store the uniquely-identifying-metadata
of JWT token into redis as key and give it a expiry time
that is same as JWT
token expiry time so that it self-destruct
when the token is expired.
set key {replace_with_jwt_unique_identifier} ex {jwt_expiry_timestamp}
Risk: Redis is in-memory store and the entries are not persisted.
Don't use Redis or don't want to take the risk. You can use database with a custom database table. A separate table that is either
ON DELETE CASCADE
When a token is issued also populate this new database table.
When a normal
request comes in with a JWT, use the JWT to query the in-memory
store or database
table to see if record exist.
In case of in-memory
store a simple existence
check is more than enough.
In case of database table
you need to do more checks (i.e. exist and not expired, etc.) and if the checks passed the let the request through, else you shall not pass!
When a logout request
comes in, in case of in-memory
store simply delete the key
and proceed (if found) and in case of database
you could delete the JWT
record which will cascade down to new table.
Well, you can do it
verify
endpoint workflow to also do these extra checksThe projects that I work with does not require a token to be invalidated on logout
so I did not have to cross this bridge. I did have to expand the verify
endpoint to make sure a token is valid if all my custom checks
have passed.
In addition to tutorial that you pointed out. There are some other SO questions that also discuss a similar issue. See
What if JWT is stolen?
How to destroy JWT on logout?
More how to delete a JWT token?
How to invlidate JWT when password changed
Github issue - how to invalidate JWT
Finally the best for the last - Invalidating JWT Web Tokens
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With