JWT token refresh (sliding sessions) and signout

Question

I am very new to JWT and I ended up inheriting a codebase which makes use of JWT. Now there are some very fundamental problems which I am facing and I am not finding any ans

Answer 1

JWT life extension

You can issue a JWT with the old one. Your client app have to request a new JWT when it is close to expiration time. Client knows the expiration time reading the exp claim and can invoke a refresh service to get a new token. If the client app is closed then the JWT will expire and it will be necessary for the user to present the credentials again

Logout

It is recommended to let tokens expire, but you can use a blacklist to store JWT that are still valid but can not be used for authentication:

• When user clicks logout

• After refreshing a ticket close to expiration time

You will need to add to JWT an unique identifier jti. The blacklist will contain jti and exp. Once current time > exp the entry can be discarded.

See Invalidating client side JWT session