Token Revocation
The mechanism for invalidating issued access or refresh tokens before their natural expiration, typically triggered by logout, password change, or security events.
Description
Token revocation is the process of invalidating an issued token (access token or refresh token) before it naturally expires, rendering it unusable for subsequent requests. This is critical for security events like user logout, password changes, account compromise detection, permission changes, and administrative user deactivation. RFC 7009 defines a standard token revocation endpoint for OAuth 2.0, where clients can POST a token to request its revocation.
The challenge of token revocation varies by token type. Opaque tokens (random strings that reference server-side session data) are trivially revocable -- simply delete the server-side record. Self-contained tokens like JWTs are harder to revoke because they are stateless and valid until expiration by design. Revoking JWTs requires maintaining a server-side blacklist (or blocklist) of revoked tokens, checked on every request, which partially negates the stateless advantage of JWTs. The practical tradeoff is to use short-lived access tokens (5-15 minutes) and focus revocation efforts on refresh tokens.
Implementation of a revocation endpoint should accept the token and an optional token_type_hint (access_token or refresh_token), invalidate the token regardless of whether the hint is correct, and always return a 200 OK response (even for invalid tokens, to prevent token guessing). For JWT access tokens, add the token's jti (JWT ID) to a Redis-based blacklist with a TTL matching the token's remaining lifetime. For refresh tokens, mark them as revoked in the database. On password change or security events, revoke all tokens for the affected user by maintaining a per-user token generation counter or 'not-before' timestamp.
Prompt Snippet
Implement token revocation with a POST /oauth/revoke endpoint accepting token and token_type_hint parameters. For refresh tokens, mark as revoked in the database with revoked_at timestamp. For JWT access tokens, add the jti claim to a Redis SET with TTL matching remaining token lifetime (SETEX revoked:{jti} remaining_seconds 1). Check this blacklist in your JWT validation middleware before processing any request. On password change or security events, set a per-user not_before timestamp in Redis (auth:user:{id}:not_before) and reject any token with iat earlier than this value. Always return 200 OK from the revocation endpoint regardless of token validity.Tags
Related Terms
Token Blacklisting
A server-side list of revoked tokens that are checked on each request to deny access from tokens that have been invalidated before their natural expiration.
JWT (JSON Web Tokens)
A compact, URL-safe token format that encodes claims as a JSON object, digitally signed for integrity verification and optionally encrypted for confidentiality.
JWT Refresh Token Rotation
A security strategy where each use of a refresh token issues a new refresh token and invalidates the old one, detecting token theft through reuse detection.
Session Management
The practice of securely creating, maintaining, and destroying user sessions to track authenticated state across stateless HTTP requests.
Audit Logging for Auth Events
Comprehensive, tamper-evident logging of all authentication and authorization events to support security monitoring, incident investigation, and compliance requirements.