How to properly invalidate JWT tokens?

M

Max Voronov2016-07-22 17:14:30

JavaScript

Max Voronov, 2016-07-22 17:14:30

Faced with, at first glance, not a difficult task. Namely - how to properly invalidate a token? For example, if the user logs out or changes their password.
Briefly about the task: there is a regular REST API in which part of the functionality requires the user to be authorized. We implement this through JWT.
Searching the web for answers, I found a few ideas about this:

"Forget" the token on the client
This is the simplest solution, but in fact the token continues to work until its lifetime expires. So this solution is not very safe.
Store blacklist with tokens in the database
If the user invalidates the token, then we write it to the database. And with each request, we check if the transferred token is in the blacklist. And, of course, we clean the database by expire.
Quite a viable option, but then the meaning of JWT is somewhat lost.
Change secret
A convenient option when you need to invalidate tokens for all users. But if you make an individual secret for each user, then you need to store it somewhere (database again?) and you cannot use the more reliable RS256 algorithm. By the way, an additional question - does it make sense to use it for web tokens?

To be honest, none of the options I found seem like a complete solution to me. There is a feeling that I missed something. I would be happy to hear any thoughts and advice on this matter.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Vladimir Grabko, 2016-07-23
@VGrabko

To do this, use fast storage, not a database (ala radish). We store the secret key for tokens in radish (each token has its own). When you exit, update the key. Well and of course we forget on the client.
In the radish, there are entries like
user_id : secret
According to this scheme, everyone works.