Update/change roles claim (or any other claim) in JWT

Question

I'm storing user roles inside a JWT (to restrict API endpoints). The roles can be changed by an administrator.

If a role is changed. How am I supposed to reflect this inside all tokens? I've thought about a couple of solutions:

• If I'd use refresh tokens, the user would have to wait until the expiration date of the access token is expired.

• I could keep a record of changed user IDs and check every request, and then return a new token if the user has been changed.

Is there a standard way to do this?

Answer 1

Refresh tokens don't seem to be the solution if you care about the changes you make being instant, you probably don't want an user to access moderation tools for some time if you revoke his permissions.

What you could do is keep a version number in the jwt token relative to the user, much like how mongoose does it with it's versionKey. By doing this, you would be able to check this version against the one in the database for a given user. Each time you change the roles of this user, you would increment this version, if the version of the jwt doesn't match, just recreate a new one with the correct roles and version and send it back to the user.

I don't believe there is a proper standard for this, as jwt is immutable by design, you'll have to change it entirely if you need to "update" it.