I recently discovered JWT for token authentication + authorization.
I think is very useful to have user info wrapped in the token, so I'm trying to use it in a Java/Spring web project.
At first, my impressions were: if I have all the user data in token I don't need to store it in application DB and I don't need to retrieve user + session information for every service request. This is fantastic and could improve effectively service access performance.
But now I'm having some doubt on JWT "limitation" for my use case. For example: what If the user is disabled by service admin and the last generated token is not yet expired? The user can access to the service even if it is actually not authorized...
Is this a limitation of JWT or am I missing something? Can you clarify my doubt?
JWT is self-contained. One of the advantages is that it does not need server session storage, because digital signature protects the content.
There are several reason to invalidate a JWT token before its expiration time: account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin. Take a look at Invalidating JSON Web Tokens
It is a common need and there are several techniques to apply or combine depending on your use case
Remove the client token
Token blacklist: Store tokens that were between logout & expiry time, mark expired and check it in every request. You need server storage. You can include only the ID, or use the
issued_at and check last update to user profile
Expiry times short and rotate them. Issue a new one every few request. The problem is to maintain user logged when there are no requests (for example closing browser)
Other common techniques: