How to support JWT token logoff about jwt-cpp HOT 7 CLOSED

@laoshanxi
Short answer: You cant, thats not something jwt was designed for.
Long answer:
You could keep a database of revoked tokens and check against that (something like memcached/redis). However that kind of kills the main benefit of jwt, which is to allow for nothing shared architectures.

from jwt-cpp.

Could you not do

const auto now = std::chrono::system_clock::now();
auto token = jwt::create()
	.set_issuer("auth0")
	.set_issued_at(now)
	.set_expires_at(now /* minus one ??? */)
	.sign(jwt::algorithm::hs256{"secret"});

from jwt-cpp.

Thanks @Thalhammer ,

For client side, the simple solution can be clear the token memory in client side, the client have no token can not login again.

For safe service side, server should hold the none-expired token which has been logged out。

from jwt-cpp.

Yeah normally you just wipe it from memory on the client side. Most jwt based apps dont really do a
"logout" feature. Instead the common approach is to use short lived tokens (like 30min or an hour) and on "logout" you just wipe all info from the client and let the token expire. While the client is still online you can just periodically refresh the token. That also gives you sort of an auto logout.

from jwt-cpp.

Yes, periodic refresh token seems good (if do not consider performance cost), use old none-expired token to renew a token.

from jwt-cpp.

Refreshing the token every 30 or so minutes should not have a notable performance impact. Make sure you renew your token soon enough, so you still have enough time to do (and possibily retry) the request. You can parse the token and get the exp value in JS to calculate when to refresh it.

from jwt-cpp.

Got it, thanks for the explaination.

from jwt-cpp.