How can logout using spring boot jwt
There can be done several things for logout:
- Usually, jwt tokens are stored in browser local storage or session storage if we talk about single page applications. So, the first thing that can be done in this case - remove token from storage:
window.sessionStorage.removeItem("token") // for session storage
or
window.localstorage.removeItem("token") // for local storage
Ref about them: https://developer.mozilla.org/ru/docs/Web/API/Window/sessionStorage https://developer.mozilla.org/ru/docs/Web/API/Window/localStorage
My example in angular: https://github.com/dmcheremisin/TodoApp/blob/master/frontend/src/app/service/jwt-authentication.service.ts
- But the client may store this token somewhere and provide manually. To avoid long time usage of token you should set short expiration time. For example, 15 minutes.
If you need to allow further usage of token - you refresh it, otherwise reject.
Example refresh method:
public String refreshToken(String token) {
final Date createdDate = new Date();
final Date expirationDate = calculateExpirationDate(createdDate);
final Claims claims = getAllClaimsFromToken(token);
claims.setIssuedAt(createdDate);
claims.setExpiration(expirationDate);
return Jwts.builder().setClaims(claims).signWith(SignatureAlgorithm.HS512, secret).compact();
}
This code snippet is from my repo that uses the same library jjwt: https://github.com/dmcheremisin/TodoApp/blob/master/backend/src/main/java/com/todo/app/util/JwtTokenUtil.java
- Blacklist logged out tokens. I personally don't like this approach, beacuse you need centralized place for blacklisted tokens in case of multi-node application. JWT tokens were created for avoiding linking to the session of concrete web server(node) session. So, you can't store tokens in only one node of your application.
Related article: https://medium.com/devgorilla/how-to-log-out-when-using-jwt-a8c7823e8a6
Related videos on Youtube
Rakesh Kumar
Updated on June 04, 2022Comments
-
Rakesh Kumar almost 2 years
I am using this example https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world for creating spring boot rest api with json web token (JWT). but i am not found any api for forcefully logout using io.jsonwebtoken maven dependency .
i am using this dependency in pom :
groupId io.jsonwebtoken artifactId jjwt version 0.9.1
can any one tell me about this dependency, provide any logout or revoke token api or not . if not, provide any solution for forcefully logout using this process.
-
Valijon almost 4 years
In this example, we will be making use of hard-coded user values for user authentication
. Normally, there is no logout for token mechanism, since server never create session... What you can do is remove (you need to store it somewhere and check if it exists...) / deny token by some criteria. In this article, follow instruction ofSpring Boot + JWT + MYSQL JPA for storing and fetching user credentials.
-
Rakesh Kumar almost 4 yearsThanks @Valijon for reply , i just want to invalidate token on logout using jwt. because it not mantain session on server side. so how can we resolve force logout from jwt without saving token in db, because if i follow to save token in db and set token blacklist. and after then we check token is blacklist or not on every server request. i think this is not a right way for logout and check in all request for token blacklist. can you tell me any other process or any other approach to logout in spring boot rest full api
-
Valijon almost 4 yearsLogout means close the session, but with JWT and other token mechanism, there is no session... There is no any solution for your requirements. Use standard security mechanism related with session, so then you can logout...
-
Rakesh Kumar almost 4 yearsyou mean JWT not provide any thing for revoke token? if this is true can you tell me , any other process for spring boot rest api authentication for our app mobile users.
-
MJBZA almost 4 years@RakeshKumar I have the same problem, how you found a solution for that?
-
-
Rakesh Kumar almost 4 yearsThanks @Dmitrii for your support to understand things with jwt tokens. Actually i am created a backend project with spring boot rest api for android app mobile users. and currently i am using jwt with spring boot security stateless session on server side. but i just confused for, what happend when mobile user press logout from app . then how we handle this thing with jwt token. please help me.
-
Dmitrii Cheremisin almost 4 yearsHi, @RakeshKumar. I don't know how things done in adroid app development. But I suppose that in your situation the easiest solution will be to delete token from your application context(android app context). Token will be missed and user will not be able to send any security requests to the spring boot rest api. So, remove token on logout.
-
Rakesh Kumar almost 4 yearsActually, I am afraid for token hacking , if i use this process to remove token from context level. if some one copy this token and use again for anther api call . this is harmfull for app users. so can you tell me some thing on server side for remove jwt token? if not possible to remove token from server side using spring boot jwt , then please tell me another token approach on server side if any. like spring boot oauth2 (this thing provide revoke token). but i am not using this one because we have to need a auth server for this. so if you have any other approach, please share with us
-
Dmitrii Cheremisin almost 4 yearsI provided for this situation approches number 2 and 3. You may limit expiration time of token and refresh if need. Or, you may blacklist token on logout, but you should use centralized blacklist storage in case of multi-node spring boot api(several backed servers with load balancing). If you use only ONE node of your api, then you may blacklist token in your spring boot api only without any concerns.
-
Rakesh Kumar almost 4 yearsOk @Dmitri, Thanks for your support and Giving your valuable time 'Regarding JWT token' . This is very useful discussion for us. Thanks