0

JWT authentication, as opposed to session-based authentication, is supposed to be less of a hassle to implement in a distributed system. With traditional session auth, you would need a shared cache (which is a single point of failure) or a distributed cache (which comes with its own set of complexities).

Wouldn't adding a revocation service, such as a token blacklist, in order to, for example, "logout" a user, introduce the same hassles of session auth described above?

Palisand
  • 1,302
  • 1
  • 14
  • 34

1 Answers1

1

Yes, it would. Adding a blacklist will cause you to lose some of the advantages of JWT, such as not needing server space, other than that if you use a cache with multiple servers you will need a replication mechanism as you said.

But it is a common assumption to allow tokens to expire instead of using a blacklist and setting a small refresh time.

Take a look here to see some common techniques to invalidate tokens

pedrofb
  • 37,271
  • 5
  • 94
  • 142