After reseaching the differences between OAuth and JWT, I decided to use JWT on my next project for simplicity and performance reasons.
From what I learned until now, and please correct me if I'm wrong, JWT is self contained data, hashed with a public key on the client. I then can check it against a secret key and verify its validity on my backend. Ok..
But there is one thing that I still can't quite understand: JWT token revoking. I saw many posts and topics about "How to revoke JWT" or whether it's "Possible or not to revoke JWT", "JWT Blacklisting", and even some posts saying there's no point in any of it.
I want to understand: Why would I want to revoke JWT? Would not revoking it be a security flaw? How?
Best Answer
The default implementation of a JWT is stateless. That means you don't hold any information regarding the individual token in any form of storage (files, databases, memory, etc.). You're relying on the signature of the JWT to validate that you have issued this token.
This not more or less secure than a stateful token per se as far as protecting the token goes. It does however have security implications for a compromised token.
Since you have no way of knowing which individual token is due to not storing any information about them you cannot reject tokens which pass the basic signature validation. This means that if I somehow managed to acquire your token I will be able to pose as you until the token expires.
You can create a stateful JWT. Just store some data about it the token and in a database. Say a unique ID along with to whom it was issued. I've done a few different things over time with JWTs to keep them in good shape:
For the record, revoking a token typically means outright removing the token information from your storage or marking it as deleted; as such it is rejected when authorization is attempted.
For the record I'm not saying that you need to add state to the token so long as you are aware of the implications. Personally I would add some state, not for myself but for the users. Security concerns is typically at the bottom of their list until something tragic happens.