How to invalid a JWT token generated previously ,when the password is reset/changed in java

Question

I have created AccessToken (JWT token), i want to invalid that token at the time of reset password/change password (i.e: old accessToken should be invalid and new should be valid)

score 0 · Answer 1 · answered Jun 13 '18 at 20:38

First of all, invalidate/remove the JWT at the client side when a password is successfully reset.

Capture the password change timestamp in table.

Provide an "issue at(iat)" timestamp in the payload of the JWT Token.

When the token is decoded in the server, check if "iat" timestamp is earlier than the password change timestamp. if yes, then invalidate the token.

With this mechanism you need not worry about cases where user has more than one JWT, but there is a slight overhead of reading the database for password change timestamp.

Whats the sense in jwt if you need to access db to check it? Better to use usual tokens, stored at db. Isn't it? — Alexander Danilov, Nov 11 '18 at 09:21

chmac · Answer 2 · 2019-02-25T11:20:10.177

One approach to this is to save a field like token_seq in your database. Then you include both user_id and token_seq inside your JWT. During the password reset process your increment the token_seq field. When validating your JWT you check both user_id and token_seq.

This gives you a way to invalidate all "old" tokens at any time.

UPDATE: Another approach from this answer is to use a hash of whatever password value you're already storing for the user. This means that when the password changes, any old tokens will automatically be invalidated.

score 0 · Answer 3 · answered Dec 04 '20 at 23:18

I am to late for the answer but i think it can help someone else. if you wanna invalidate your jwt after changing the password it is easy to do but you only need to understand something is when you change the secret key the jwt token is not valid anymore what you need to do is to put you hashed password as the secet key for your jwt and make sure that the new password those not much the old one and it invalide know that's it

Bonus

make sure to use expire to small amount of time like 1h to make it more secure

score -1 · Answer 4 · answered Jun 06 '18 at 09:35

-1

I think you have to store the jwt token on the database(better on in-memory database). When the user changes the password delete the token of the particular user. Each time when you verifying the token, you have check the existence of the token in the database.

Invalidating JSON Web Tokens

answered Jun 06 '18 at 09:35

Sivabalan

971
2
18
43

He is asking about jwt tokens. No sense in using jwt tokens if you store them at db. – Alexander Danilov Nov 11 '18 at 09:18

How to invalid a JWT token generated previously ,when the password is reset/changed in java

4 Answers4