Faced, at first glance, not a difficult task. Namely, how to invalidinput token? For example, if a user does a logout or change your password.
Shortly about the task: have a normal REST API, which is part of the functionality requires that the user is authorized. Implement it using JWT.
Searching the answer online found a few ideas on this score:
- On the client to "forget" the token
This is the simplest solution, but really the token it continues to work until then, until it expires life. So this solution is not very safe.
- Storing in the database a blacklist with tokens
If the user invalidates the token, we store it in the database. And on each request check whether the passed token in the black list. And, of course, clean the base on the expire.
It is a viable option, but it partially defeats the purpose of the JWT.
- Change secret
Convenient option when you need to invalidinput tokens for all users. But if you do individual secret for each user, it must be stored somewhere (the DB again?) and you can't use a more robust algorithm is RS256. By the way, additional question - does it make sense to use it for web tokens?
Honestly, none of the variants I have found I don't think a full solution. There is a feeling that I missed something. I will be glad to hear any thoughts and advice on this.