How can logout using spring boot jwt

java spring spring-boot jwt rest

11,978

There can be done several things for logout:

Usually, jwt tokens are stored in browser local storage or session storage if we talk about single page applications. So, the first thing that can be done in this case - remove token from storage:

window.sessionStorage.removeItem("token") // for session storage

window.localstorage.removeItem("token") // for local storage

Ref about them: https://developer.mozilla.org/ru/docs/Web/API/Window/sessionStorage https://developer.mozilla.org/ru/docs/Web/API/Window/localStorage

My example in angular: https://github.com/dmcheremisin/TodoApp/blob/master/frontend/src/app/service/jwt-authentication.service.ts

But the client may store this token somewhere and provide manually. To avoid long time usage of token you should set short expiration time. For example, 15 minutes.

If you need to allow further usage of token - you refresh it, otherwise reject.

Example refresh method:

public String refreshToken(String token) {
    final Date createdDate = new Date();
    final Date expirationDate = calculateExpirationDate(createdDate);

    final Claims claims = getAllClaimsFromToken(token);
    claims.setIssuedAt(createdDate);
    claims.setExpiration(expirationDate);

    return Jwts.builder().setClaims(claims).signWith(SignatureAlgorithm.HS512, secret).compact();
}

This code snippet is from my repo that uses the same library jjwt: https://github.com/dmcheremisin/TodoApp/blob/master/backend/src/main/java/com/todo/app/util/JwtTokenUtil.java

Blacklist logged out tokens. I personally don't like this approach, beacuse you need centralized place for blacklisted tokens in case of multi-node application. JWT tokens were created for avoiding linking to the session of concrete web server(node) session. So, you can't store tokens in only one node of your application.

11,978

Rakesh Kumar

Updated on June 04, 2022

Comments

Rakesh Kumar almost 2 years
I am using this example https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world for creating spring boot rest api with json web token (JWT). but i am not found any api for forcefully logout using io.jsonwebtoken maven dependency .

i am using this dependency in pom :
```
groupId io.jsonwebtoken
artifactId jjwt
version 0.9.1
```
can any one tell me about this dependency, provide any logout or revoke token api or not . if not, provide any solution for forcefully logout using this process.
- Valijon almost 4 years
  
  In this example, we will be making use of hard-coded user values for user authentication. Normally, there is no logout for token mechanism, since server never create session... What you can do is remove (you need to store it somewhere and check if it exists...) / deny token by some criteria. In this article, follow instruction of Spring Boot + JWT + MYSQL JPA for storing and fetching user credentials.
- Rakesh Kumar almost 4 years
  
  Thanks @Valijon for reply , i just want to invalidate token on logout using jwt. because it not mantain session on server side. so how can we resolve force logout from jwt without saving token in db, because if i follow to save token in db and set token blacklist. and after then we check token is blacklist or not on every server request. i think this is not a right way for logout and check in all request for token blacklist. can you tell me any other process or any other approach to logout in spring boot rest full api
- Valijon almost 4 years
  
  Logout means close the session, but with JWT and other token mechanism, there is no session... There is no any solution for your requirements. Use standard security mechanism related with session, so then you can logout...
- Rakesh Kumar almost 4 years
  
  you mean JWT not provide any thing for revoke token? if this is true can you tell me , any other process for spring boot rest api authentication for our app mobile users.
- MJBZA almost 4 years
  
  @RakeshKumar I have the same problem, how you found a solution for that?
Rakesh Kumar almost 4 years

Thanks @Dmitrii for your support to understand things with jwt tokens. Actually i am created a backend project with spring boot rest api for android app mobile users. and currently i am using jwt with spring boot security stateless session on server side. but i just confused for, what happend when mobile user press logout from app . then how we handle this thing with jwt token. please help me.
Dmitrii Cheremisin almost 4 years

Hi, @RakeshKumar. I don't know how things done in adroid app development. But I suppose that in your situation the easiest solution will be to delete token from your application context(android app context). Token will be missed and user will not be able to send any security requests to the spring boot rest api. So, remove token on logout.
Rakesh Kumar almost 4 years

Actually, I am afraid for token hacking , if i use this process to remove token from context level. if some one copy this token and use again for anther api call . this is harmfull for app users. so can you tell me some thing on server side for remove jwt token? if not possible to remove token from server side using spring boot jwt , then please tell me another token approach on server side if any. like spring boot oauth2 (this thing provide revoke token). but i am not using this one because we have to need a auth server for this. so if you have any other approach, please share with us
Dmitrii Cheremisin almost 4 years

I provided for this situation approches number 2 and 3. You may limit expiration time of token and refresh if need. Or, you may blacklist token on logout, but you should use centralized blacklist storage in case of multi-node spring boot api(several backed servers with load balancing). If you use only ONE node of your api, then you may blacklist token in your spring boot api only without any concerns.
Rakesh Kumar almost 4 years

Ok @Dmitri, Thanks for your support and Giving your valuable time 'Regarding JWT token' . This is very useful discussion for us. Thanks