If you are using JWT, you want your authorization system to be stateless, right? 🙂. When you introduce blacklisting, you make your authorization stateful! What sense does it make?
This ends up maintaining the list of "logged out", so why not maintain the list of "logged in" and DO NOT use a self-contained token (that exposes the content to anyone), but an opaque token (like session-id) and manage the session on the server. Server-side sessions are by design more secure and logging out isn't any problem.
TL; DR: Blacklisting stateful tokens does not make sense (despite the hype around JWT and cool blacklisting "technique", which probably is fun in developing 🤷♂️).
Thank you for your feedback. You have a point, I use sessions also and it works as you've said. There are many ways to go about things, that's how code works, there isn't one way to it. I'm just sharing my knowledge, I didn't say this is the best way or most secure to go about it. Sessions have their flaws as do JWTs, it's just another way. You have your opinion and I'm happy you shared it. Thank you again.
If you are using JWT, you want your authorization system to be stateless, right? 🙂. When you introduce blacklisting, you make your authorization stateful! What sense does it make?
This ends up maintaining the list of "logged out", so why not maintain the list of "logged in" and DO NOT use a self-contained token (that exposes the content to anyone), but an opaque token (like session-id) and manage the session on the server. Server-side sessions are by design more secure and logging out isn't any problem.
TL; DR: Blacklisting stateful tokens does not make sense (despite the hype around JWT and cool blacklisting "technique", which probably is fun in developing 🤷♂️).
Thank you for your feedback. You have a point, I use sessions also and it works as you've said. There are many ways to go about things, that's how code works, there isn't one way to it. I'm just sharing my knowledge, I didn't say this is the best way or most secure to go about it. Sessions have their flaws as do JWTs, it's just another way. You have your opinion and I'm happy you shared it. Thank you again.
What are the flaws of sessions (in comparison to this "JWT blacklisting")? I am not sure I understand your point.