Blacklist JWT Token

Quoc Van Tang Source

According Matt Way answer in this post: Invalidating JSON Web Tokens

The #2 solution about using a Token Blacklist but I have a question that how server know exactly the old token and add it to the blacklist. For example: When I login, I receive the "ABCD" token from server, server does not keep this token in any place. Then I change password (or logout), server should send me a new token like "EFGH" and invalid the old "ABCD" (by adding "ABCD" to blacklist until it expired date) but the issue is how can server know "ABCD" old token to add to the blacklist?



answered 3 weeks ago Toars #1

To perform actions related to an account, the JWT token generated at connection must be present in the Headers of the request (usually in the Authorization Header).

It is the client that will store the token and send it whenever necessary to authenticate itself to the server.

It only remains for the server to retrieve the token present in the Headers to invalidate it and blacklist it when necessary.

comments powered by Disqus