Force expire JWT

Question

Problem statement:-

Force expire a JWT when the user wants to log out from the mobile.

Issue:-

As JWT is not stored on any DB (as doing that will defeat the whole purpose of JWT) what is the correct way to force expire the JWT token?

As I read through various answer I realized that JWT cannot be expired manually (which is what I want to achieve)

As per JWT, it will expire only when it hits the expiration time which is set in the token. This is bad according to security.

Options

Clear the cache and JWT from the mobile app when the user hits logout. But the problem still lies that the JWT is still valid.
Maintain a list of blacklisted JWT when the user hits the logout and compare that to every request after the same. This defeats the whole purpose of JWT. This approach is not scalable and a bad implementation.

I am not sure what is the correct way.

If you need to manage a list of revoked tokens, then you don’t need JWT at all. — Spomky-Labs, Sep 29 '18 at 19:07

score -1 · Answer 1 · answered Dec 23 '19 at 13:51

-1

Session-less performances vs session-need is one of the hard trade-off to achieve. One way (with some limitations) is using short live JWT and Renewal Token revocation to force expire.

answered Dec 23 '19 at 13:51

WaltZie

99
2

Force expire JWT

1 Answers1