How can I revoke a JWT token?

by

In general the easiest answer would be to say that you cannot revoke a JWT token, but that’s simply not true. The honest answer is that the cost of supporting JWT revocation is sufficiently big for not being worth most of the times or plainly reconsider an alternative to JWT.

Having said that, in some scenarios you might need both JWT and immediate token revocation so lets go through what it would take, but first we’ll cover some concepts.

JWT (Learn JSON Web Tokens) just specifies a token format, this revocation problem would also apply to any format used in what’s usually known as a self-contained or by-value token. I like the latter terminology, because it makes a good contrast with by-reference tokens.

by-value token – associated information, including token lifetime, is contained in the token itself and the information can be verified as originating from a trusted source (digital signatures to the rescue)

by-reference token – associated information is kept on server-side storage that is then obtained using the token value as the key; being server-side storage the associated information is implicitly trusted

Before the JWT Big Bang we already dealt with tokens in our authentication systems; it was common for an application to create a session identifier upon user login that would then be used so that the user did not had to repeat the login process each time. These session identifiers were used as key indexes for server-side storage and if this sounds similar to something you recently read, you’re right, this indeed classifies as a by-reference token.

Using the same analogy, understanding revocation for by-reference tokens is trivial; we just delete the server-side storage mapped to that key and the next time the key is provided it will be invalid.

For by-value tokens we just need to implement the opposite. When you request the revocation of the token you store something that allows you to uniquely identify that token so that next time you receive it you can additionally check if it was revoked. If you’re already thinking that something like this will not scale, have in mind that you only need to store the data until the time the token would expire and in most cases you could probably just store an hash of the token so it would always be something of a known size.

As a last note and to center this on OAuth 2.0, the revocation of by-value access tokens is currently not standardized. Nonetheless, the OAuth 2.0 Token revocation specifically states that it can still be achieved as long as both the authorization server and resource server agree to a custom way of handling this:

In the former case (self-contained tokens), some (currently non-standardized) backend interaction between the authorization server and the resource server may be used when immediate access token revocation is desired.

If you control both the authorization server and resource server this is very easy to achieve. On the other hand if you delegate the authorization server role to a cloud provider like Auth0 or a third-party component like Spring OAuth 2.0 you most likely need to approach things differently as you’ll probably only get what’s already standardized.

An interesting reference

This article explain a another way to do that: Blacklist JWT
It contains some interesting pratices and pattern followed by RFC7523

More Related Contents:

  1. Google Home Authorization Code and Authentication with Google Account
  2. How does OAuth 2 protect against things like replay attacks using the Security Token?
  3. Using Postman to access OAuth 2.0 Google APIs
  4. Gmail API returns 403 error code and “Delegation denied for “
  5. Does OpenID Connect support the Resource Owner Password Credentials grant?
  6. CORS issue with Google Oauth2 for server side webapps
  7. Error: invalid_request device_id and device_name are required for private IP
  8. Sign in with Google temporarily disabled for this app
  9. 403 Forbidden message when calling the v3 Google Calendar API using a Service Account via OAuth 2.0
  10. “This app would like to: Have offline access” when access_type=online
  11. Is it possible to be able to correctly select any available Google account to use when using authorisation via the JS client library for Drive?
  12. How to bypass entering authentication code to authorize my code everytime I use the YouTube Data API v3
  13. How to specify refresh tokens lifespan in Keycloak
  14. Spring-Security-Oauth2: Full authentication is required to access this resource
  15. Google APIs Console – missing client secret
  16. Using Oauth tickets across several services?
  17. How to validate an OAuth 2.0 access token for a resource server?
  18. Why do access tokens expire?
  19. How to identify a Google OAuth2 user?
  20. OWIN Security – How to Implement OAuth2 Refresh Tokens
  21. IMAP auth in Office 365 using OAuth2
  22. OAuth 2.0: Benefits and use cases — why?
  23. How to set redirect_uri protocol to HTTPS in Azure Web Apps
  24. How to send emails with google using nodemailer after Google disabled less sure app option?
  25. How do I use a Service Account to Access the Google Analytics API V3 with .NET C#?
  26. Google coordinate authentication
  27. JWT (Json Web Token) Audience “aud” versus Client_Id – What’s the difference?
  28. Registering Web API 2 external logins from multiple API clients with OWIN Identity
  29. How to Auth to Google Cloud using Service Account in Python?
  30. Multiple IdentityServer Federation : Error Unable to unprotect the message.State

Leave a Comment