7

I followed this tutorial for using JWT token. The token expiry is set to only 5 minutes, but what if I wanted to invalidate the token after 1 minute of use? I want to be able to make an API call to /api/logout and that should delete my token.

I'm using Express and Node.

It seems like from what I could gather to do my option is to have a token db that stores the token. When I want to expire my token, I then expire/remove the token from the DB.

I've also seen people casually say "remove" the token from the physical hard space, but I cannot figure out where the token is physically stored for me to remove it.

Kousha
  • 32,871
  • 51
  • 172
  • 296

2 Answers2

11

The general benefit of a JWT token authentication is that the tokens can contain all the session information you would normally keep in your session store. This saves considerable resources, especially in request-to-response times, because you do not have to look up session data on each and every request - the client gives you all that.

However, it comes at the cost of not being able to revoke a JWT token at a time of your choosing, because you lost track of state.

The obvious solution of keeping a list of invalidated tokens somewhere in your database kind of removes the above-described benefit because you again have to consult the database on every request.

A better option would be to issue short-lived JWT tokens, i.e. tokens valid only one minute. For a web application, an average user may perform several requests in a minute (a user navigating around your app). You can give each user a JWT token that will last a minute and when a request with expired token arrives, you simply issue them a new one.

Update: Issuing a new access token after presenting an expired token is a very bad idea - you should treat an expired token as invalid, as if it has been forged. Better approach is to have the client present a refresh token which will prove the user's identity, and only then issue new access token. Note that verifying a refresh token must be a stateful operation, ie. you must have a list of all valid refresh tokens per user somewhere in your database, because if the refresh token is compromised, the user must have a means of invalidating that token.

Robert Rossmann
  • 11,931
  • 4
  • 42
  • 73
  • From an implementation point of view, would you attach the new token to the response headers? – kilianc Feb 12 '16 at 17:33
  • Yes, that would make sense. The client should be aware that the access token may change with any request and should always use the last one received. – Robert Rossmann Feb 12 '16 at 17:37
  • That seems like a good compromise between going stateless with no control, and have to hit the db every time. I am still skeptical about storing mutable data in the JWT, even having to wait 60s for a change is pretty bad UX. – kilianc Feb 12 '16 at 17:44
  • Does it make any difference if there is one refresh token stored in the DB compared to storing a session in the DB for every user? – CloudWave Apr 06 '21 at 16:53
  • 1
    @CloudWave yes. When done properly, you only query the database for the refresh token once the access token expires. With a session ID/token stored in the database, you will soon find that you need to query the database for the session ID on every request. – Robert Rossmann Apr 06 '21 at 16:56
  • So the refresh token is just a pseudorandom value or it has to be a JWT? – CloudWave Apr 06 '21 at 17:01
  • That's really up to you, but in general it needs to be hard to guess and highly unpredictable. So I guess that's a pseudorandom value, indeed. :) A refresh token should uniquely identify a user's session on a particular device. It would be good to also store some information about that device as well, like geographical location and client metadata (ie. user agent). It can be a JWT if you like, but I would say it's not the right tool for this job. – Robert Rossmann Apr 06 '21 at 18:32
1

1) Simply remove the token from the client

2) Create a token blacklist

3) Just keep token expiry times short and rotate them often

Please have a look at Invalidating JSON Web Tokens Invalidating JSON Web Tokens

Ziaullhaq Savanur
  • 1,848
  • 2
  • 17
  • 20