JWT : Logout, expire and prolongation

I worked with JWT from a year now and I have to admit that it saves my life. I don't know any other solution that can provide a sessionless authentication without sharing a database (like redis) over all your api servers.

Json Web Tokens are awesome, they give an signed and immutable informations to the client and this client can talk with every servers that share a private key.

EDIT : I've just seen an article from Auth0 that do a better job : Refresh token from Auth0

The problem of logout :

To logout a user, the naive approach is to remove the jwt in his browser. The next request will be without token and it will end with an unauthorised response.

But what if the user want to logout on all device on which he's connected to your API ?

That's the problem, since the "identity" of the user is managed clientside, you can't natively force the jwt expire.

How to inform the servers to not take the expire jwt anymore ?

First you have to know that every jwt (immutable) has an expiration date in itself checked by the server when verifying. So if the expiration duration is really short, like 2 hours of inactivity (see the prolongation part), you can assume that devices "session" will end shortly as soon as they doesn't refresh the token.

But sometimes, you really need to kickout a stolen session or a session not correctly closed in a public place .. etc. The only way to do it, is to share a list of revoked token along your servers.

The prolongation strategy :

A short expiration duration is a good thing for security reason and for a good refresh of your token stock. But it is restrictive and fastidious. For a good user experience, if a the app doesn't manipulate sensitive data, a user that use the app every 2 days should never have to login again.

So we need to refresh the token. A good strategy is to set the token expiration to one week and refresh the token every time the user open the web application and every one hour. If a user doesn't open the application for more than a week, they will have to login again and this is acceptable web application UX. (cf source. José F. Romaniello)

For me, one week is too high and refreshing every hour is consuming for client and server. Refreshing a jwt consist to update the expiration date and the data concerning the user. In GraphComment, our AngularJs is built to update the jwt if they received one in Authentication header. It allows us to update the jwt as the user is updated and especially to refresh the token when needed. So we keep the logic server side instead of using a clientside library that handle it for you.

But when it's needed ? Our answer is, when the jwt is about to expire : 4 hours before the expiration date.

TL;DR

Logout :

• Remove the jwt if your app is not sensitive. Share a hashset of revocated jwt if you don't trust the client.

Prolongation :

• Client : Make sure the client update his token if the API send it to him in Authorization header of the response.
• Server: Every authenticate action check if the token is about to expire. If it is, just prolongate the token.

Source :

My GraphComment experience.

The answer of José F. Romaniello, Head of Engineering at Auth0, to the StackOverflow question : JWT (Json Web Token) automatic prolongation of expiration.

Disclaimer :

Hi, I'm Thomas, and I'm french, why am I writing in english ? For fun, because it's a universal language and the IT language. But I'm not fluent and I share with you a point of view that is not the absolute and timeless truth, so don't hesitate to point my mistakes out ;)