0

I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.

I once used a method: When generating the JWT token, add a fixed parameter as the salt generated by the token. If you want to kick a user offline, you only need to regenerate the value of the salt, and then verify the salt generated in the interceptor every time Whether the token is consistent with the token passed by the client! It can be judged whether this token has been hacked.

However, this method still stores certain data on the server side, which violates its statelessness. Is there any better way to implement it?

caoxin
  • 1
  • Does this answer your question? [Invalidating JSON Web Tokens](https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens) – crizzis May 19 '21 at 17:12

1 Answers1

0

JWT's are not a great option when you need the ability to end a user session or log them out. In order to do that you need to track some sort of state.

https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens

You can take a hybrid option though, and use a "stateless" option (JWT validation) for less critical operations, and do some sort of a "stateful" validation for others: https://developer.okta.com/blog/2020/08/07/spring-boot-remote-vs-local-tokens

This post might not be what you are looking for, as this is more about a client validating tokens issued from an IdP, but it shows using JWT's for "read" requests (GET, HEAD, OPTIONS), and remote validation (OAuth 2) of the token for all other requests.

Brian Demers
  • 2,051
  • 1
  • 9
  • 12