2

According Matt Way answer in this post: Invalidating JSON Web Tokens

The #2 solution about using a Token Blacklist but I have a question that how server know exactly the old token and add it to the blacklist. For example: When I login, I receive the "ABCD" token from server, server does not keep this token in any place. Then I change password (or logout), server should send me a new token like "EFGH" and invalid the old "ABCD" (by adding "ABCD" to blacklist until it expired date) but the issue is how can server know "ABCD" old token to add to the blacklist?

Quoc Van Tang
  • 1,075
  • 4
  • 15
  • 33

1 Answers1

-1

To perform actions related to an account, the JWT token generated at connection must be present in the Headers of the request (usually in the Authorization Header).

It is the client that will store the token and send it whenever necessary to authenticate itself to the server.

It only remains for the server to retrieve the token present in the Headers to invalidate it and blacklist it when necessary.

Toars
  • 19
  • 2
  • so it mean when you want to reset the token to get the new token you need to pass the old token in header, so server can retrieve it and add to the blacklist – Quoc Van Tang Sep 27 '18 at 02:01
  • 1
    This is not true if there are both access and refresh tokens. User can send requests with the access token and we don't know which refresh token to invalidate. – M3RS Dec 06 '18 at 15:08