DEV Community

Discussion on: What is a JWT token

Collapse
xazzzi profile image
Vitaliy

In practice "stateless" is virtual though.
As soon as your system needs to be able to withdraw previously granted access / invalidate token (say, any messenger that has "log out other devices" feature) you become dependent on some way of communication with auth service again.

Collapse
loige profile image
Luciano Mammino Author • Edited on

This is a very valid point, thanks @xazzzi

In reality, this does not happen all the time. Most system to system interactions won't probably need this feature.

When this feature is needed it does become complex to handle this requirement efficiently. I have seen one implementation of this requirement in the past that was particularly clever and effective. It did use Redis with local client cache. It did work very well and had very little overhead because every revoked token was kept in Redis only until the token itself reached its own invalidity time (in that case was 1 week). Also, in this particular setup, the cardinality of the revoked keys was very low (in the order of less than a hundred at a given time). Therefore it was very feasible to keep a local copy of the list of currently revoked keys and use Redis pub/sub to keep those local copies in sync. Not really stateless but it did minimise the number of requests to the auth server significantly!