Hello there I have an application that generates a JWT token for the user on logging in. But the problem is I want to add the previous JWTtoken to blacklist if the user logged in with a new device. The problem is I don`t know how to get the previous JWTtoken when the user logs in again. Any suggestions?
Advertisement
Answer
The big question here is how does the user take a JWT from one device to another? You should be doing your best to hide the JWT, using it mostly in the Request Headers.
But if you are making a JWT accessible there are 2 ways you could approach this problem.
JWT expiration policy – this is the most common technique, the JWT expires after a certain time and the user must re-login. Why this doesn’t directly solve the problem of switching devices, it should prevent most cases
Device property – when you generate the JWT add a property to the JWT for the device type “pc”, “mobile”, “tablet” etc and check that the property matches the user’s current device. You could add an authorization step to your router that does this.