JWT |
As per autho0.com
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA.Coming to the original question: How to log out when using JSON web token?
The simple answer is We Can't
Now let's see why we can't do it in the case of JWT.
JWT is stateless
Flow |
This means JWT tokens are not stored in the database or sessions. So if a token is generated it can be used till it gets expired and how it does we can specify the time to expire at creation time.
So next is how should we plan this to expiry the token?
We need to plan in the following manner:
- 1. Set a reasonable expiration time for tokens
- 2. Delete the stored token from the client-side on logout
- 3. Store no longer active tokens that still have some time to live
No logout on JWT