This simplicity has side effects though, and often leads to limitations.
Client side logout - i. Although your application has lost the token: Another mechanism often used is that of " short validity " - i. Whilst it's a step forward, and reduces the time period that a leaked token could be abused - it's still worth highlighting the potential damage an attacker could do in even half an hour.
From a security point of view, we need a way of actually revoking Invalidating jwt tokens we need the ability to proactively invalidate tokens, being able to minimise the damage should a token fall in to malicious hands.
Here lies the problem though: Whilst removing state is an "Invalidating jwt tokens" aim from an architectural point of view, and has many merits, it's not ideal from a security angle. The inability to specify a per-action unique identifier or " nonce "proposes a few problems - including toking revocation, a lack of " security in depth ", and replay attacks to name but three. Stateless architectures can cause quite a few security headaches. It's a common misconception that JWT itself is the barrier to token revocation and invalidation, but this is an obfuscation of what JWT actually is: It has nothing to do with application state - thats your own architectural decision, and whilst it may be a good one - it's also the real security obstacle.
There's no denying that working with JWT is a breeze from a development point of view: As a provider i. That of course means you need to keep their data confidential - Invalidating jwt tokens authenticating the user, and providing strict access control measures. Revoking access - in addition to allowing a user to " de-authenticate " - clearly come within the remit of providing adequate security controls.
State itself doesn't mean cookies, nor does it mean packing the Invalidating jwt tokens with data; it doesn't change the way your API fundamentally works, nor does it provide enforce any additional steps for the consumer of your API. It does however, enable better security practices. If you were to write a minimalistic JWT implementation - not that you should - the token generation would look something like this:. Pay special attention to the HMAC signature: It's similar to using MD5 hashes to check the integrity of a large file you've downloaded, except it relies upon a Invalidating jwt tokens that only the server has - ensuring the client cannot tamper with the contents of the message.
We can use that "Invalidating jwt tokens" to not only ensure the integrity of the token though, we can also use it as a unique identifier - safe in the knowledge that a signature will always be unique to one specific JWT token. Using this 43 character signature as a unique identifier, we can store it against a given user - and do additional checks prior to the standard JWT integrity checks.
Now that's far from production codeand likely not even syntactically valid!