0

As I understood correctly, from few resources like RemoteJWT Cache TTL, Spring cached the JWK set in Resource Server for minimising the remote call to Authorisation Server for token verification to each API call. And Spring have default TTL for that is 5 mins, which we can increase as well.

However I've some queries on same:

  • What happens if user successfully logged out from client application and hit the resource server API with same JWT token and from Resources Server end TTL doesn't expired yet. Does they still able to access API.

Please correct me if my understanding is wrong and also give your thought on same. And if good resource on that, please do share. Thanks!

deen
  • 2,185
  • 7
  • 29
  • 53
  • 1
    If keys were rotated on the authorization server and the jwk-set-uri refreshed on the resource server, the old JWT would certainly be invalidated, but beyond that I'm not aware of a relationship between jwk-set-uri caching, client log out, and access token expiration. So if you had the JWT after the client session was terminated, it would still be valid directly at the resource server. A JWT is a credential with no means (in itself) of being forcibly invalidated, and for that reason must be treated with care (e.g. protected from exposure). – Steve Riesenberg Apr 11 '22 at 18:15
  • To add to the great comment above, this is what set server side sessions apart from JWT which are free living entities. One way to solve this with ”true” logout is to implement a temporary block list that is valid until a tokens expirarion has been surpassed as described here by OWASP https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html#no-built-in-token-revocation-by-the-user but this in general i would say is an antipattern as we are just trying to reimplement session based cookies again. – Toerktumlare Apr 12 '22 at 11:50

0 Answers0