Node-jsonwebtoken: Is it possible to set tokens invalid ?

Created on 24 Nov 2015  路  6Comments  路  Source: auth0/node-jsonwebtoken

For instance someone steals user token (no matter how) and user requests to set those invalid.

the tokens are always created with users id, is it possible to set the tokens created previously invalid according to specific user id ?

Most helpful comment

The solution is to keep a blacklist where the key is either the full token or the JTI (json webtoken id).

The blacklist can have a TTL (time-to-live) based on the exp field. (Once the token is expired it can be removed from the blacklist.)

More details in this blogpost:

https://auth0.com/blog/2015/03/10/blacklist-json-web-token-api-keys/

All 6 comments

You would have to have a check in your code to compare the user and exp or iat in the token to a table where you store the user and timestamp. You'll need to use your expiresInSeconds depending on the approach you want to take.

If you're always passing in the user_id with the token you could use separate keys for each user, then just replace the key when you want to void the existing ones.

Thanks, but tracking is not a problem actually, is there a function or something to set the token expired ?
Something like jwt.setExpired(token, secretOrPublicKey) ?

Not possible doing it how you envision it working. The token has the expiry date encrypted inside of it. Since you can't force the client to replace their token, using something like jwt.setExpired(token, secretOrPublicKey) will not work. That is why tracking when users has expired tokens or replacing their secret key are the two main options you have for expiring a token early.

Thanks, I think I'll use the approach with user secret keys for token.

Hi, I have to logout the session while user click 'logout' link. In this case i need to expire the token so what would be the solution for this?

The solution is to keep a blacklist where the key is either the full token or the JTI (json webtoken id).

The blacklist can have a TTL (time-to-live) based on the exp field. (Once the token is expired it can be removed from the blacklist.)

More details in this blogpost:

https://auth0.com/blog/2015/03/10/blacklist-json-web-token-api-keys/

Was this page helpful?
0 / 5 - 0 ratings

Related issues

cope picture cope  路  4Comments

prevostc picture prevostc  路  4Comments

Teebo picture Teebo  路  4Comments

rockchalkwushock picture rockchalkwushock  路  4Comments

salali picture salali  路  5Comments