0

As per my understanding, JWTs are signed tokens which can be used to identify users, if used as session tokens, they can eliminate need to store session on server ie. they are stateless.

Suppose I store user_id in JWT token and use it to validate users on server, how would a user actually log out?

Just deleting token from browser won't be useful, for example, suppose you want to log out of all other sessions.

Since JWTs are stateless, there can be no way to invalidate existing tokens, solutions could be to keep it in DB which defeats the purpose of JWT.

This would be a major security risk as log out is a very important feature, If JWTs aren't useful as session tokens, what is the perfect use case for JWT?

Abhishek Choudhary
  • 111
  • 4
  • 3
    Does this answer your question? [How to properly invalidate JWT tokens and sessions in this use case?](https://security.stackexchange.com/questions/239531/), [JWT token login and logout](https://security.stackexchange.com/questions/101734), [Best practices to invalidate JWT while changing passwords and logout in node.js?](https://security.stackexchange.com/questions/82640/). – Steffen Ullrich Sep 20 '21 at 08:36
  • @Steffen Ullrich They do have some good suggestions on implementation, I wanted a security standpoint on it and whether it's usable as session token or not. – Abhishek Choudhary Sep 20 '21 at 08:48

1 Answers1

1

oAuth with JWT is usually stateless for the resource servers, which just validates the JWT signature and metadata. The JWT is time limited - signalled through the exp (expiration) attribute. When the token expires, and the user is still active, the client is obliged to fetch a new JWT from the authorization server (AS). It will then usually identify the user's session through a refresh token.

On the authorization server (AS), state is kept. So when you log out, the session (referred to in the refresh token), the AS wipes this session from it's state.

This does not invalidate any valid JWTs the client still holds, though. So until these expire (or there is a backchannel exchange of revoked sessions between the AS and resource server), the client is in effect still logged in. This makes it important to have short expiration values for the individual JWTs.

An example of a logout service: https://connect2id.com/products/server/docs/api/logout

Geir Emblemsvag
  • 1,589
  • 1
  • 11
  • 14