Access Tokens: Revoke vs Delete

15
votes

I am creating a route /user/logout using dusterio/lumen-passport and in the controller action i manually revoke tokens which leads to the user being logged out.

I have two options to log out a user. Revoke the token (which persists the token in the database - just sets a flag telling that the token is useless) and delete the token.

My question is simply this:

What is the best approach to manage tokens? Should i logout by deleting or by revoking?

In future, i will be using redis to store the tokens so i suppose i should delete the tokens since it doesn't make sense to persist expired data in redis server.

1
laravelsecurityoauth-2.0lumenlaravel-passport
I think in your scenario by deleting the token you achieve the same result as token invalidation but without the needs of managing invalid token inside your store (whatever it is)Raffaele

1 Answers

9
votes

1) Revoke / invalidate the token.

2) Every time you call protected API, you should check the token validity and then only serve the request accordingly.

3) In case you encounter an invalid token, redirect a user to the login page and issue a valid token on successful authentication and redirect them to the requested page again.

With this approach, even if there's an existing session open in the same browser's another tab / window, and if the user hasn't yet logged in after logout/session timeout, this will always ensure the usage of valid token all the time.

It definitely doesn't make sense to store expired tokens. Neither it is the right practice to store JWT tokens in the database. They should only be stored in session data and removed / replaced on change of validity.

Therefore, only store single valid JWT token for a particular purpose in session data. Be sure you'll never get the same JWT token ever again assuming your JWT token issuer server has the best implementation. So there's absolutely no point in storing them after expiry.