How to Revoke JWT Authentication via Cookie?

Question

i am trying to test JWT Authentication using Micronaut.

i read from this guide, this guide is working, but i still not get it at all.

for example, when user A using username sherlockto login and login is success, the client of user A will get the JWT Token and store in Cookie and the other side the user B use the same username and login to the server, ofcouse he/she will get the new JWT token and store in to Cookie.

it means the user A & B able to access http:localhost:8080/, but when the User A or B do Logout, both of the user A & B are not able to access http://localhost:8080/ again.

it means, when one of them do logout, both of JWT Token are not Valid anymore.

from this guide, how the micronaut revoke that JWT token?

Answer 1

I recommend reading this article:

https://medium.com/devgorilla/how-to-log-out-when-using-jwt-a8c7823e8a6

But the short answer is that you're actually not able to "log out" like you do in form login or basic auth method. You can force the cookie to get deleted to delete the JWT for example. But the better solution is to provide expiration times for your JWT to get an Unauthorized state that meet such cases.

Let's say our JWT has an expiration of 5 minutes and User A and B are logged in. Then user A "logs out" and the app deletes the cookie but the existing JWT in user B's browser is still alive and you have no option to force a delete. But client B's JWT will expire after 5 Minutes and he would have to log in again (Because he will get an 401 for every upcoming HTTP call)

I hope this is somehow explanatory to you :)