Okta-jwt-verifier successfully verifies tokens even when user is logged out

I have a java backend which exposes a REST API which an angular app consumes. I have used okta-jwt-verifier java library in my backend to validate Okta jwt tokens, to verify identity of users who sends REST requests to the backend.

I noticed that if I backup a JWT token, and re-use it after user has logged out, okta-jwt-verifier still successfully verifies it.

Is there a way I can get the okta-jwt-verifier to identify that a certain token was issued to a logged out session?

I believe this is because the jwt verifier is only validating the claims in the token and whether it has expired. There isn’t information inside the token to identify whether the user has logged out. If you have security concerns, it is recommended to keep the token lifetime relatively short.

An alternative is to use the /revoke endpoint to revoke the access and refresh tokens when the user has logged out of your application.

Then you can use the /introspect endpoint to see whether the token is still active.

If the token is invalid, expired, or revoked, it is considered inactive.

There is a good explanation from Auth0 as well: Best practice for checking if token is revoked in API - #2 by nicolas_sabena - Auth0 Community

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.