I want to implement JWT in my next project. I just want to know if there is any best way to implement logout from all devices in JWT. As JWT is stateless mechanism, do we have to involve redis/db?

I have found the following as the best way to handle few thing with jwt.

As jwt is stateless mechanism, I've faced the following problems.

• How to implement logout? When someone tries to logout, as it is stateless there comes an issue to invalidate the token.

  Solution: Use redis as in-memory database which handles all tokens, save token(with same ttl as token has) every time user logs in, cross check it with each request along with token validation. When someone wants to logout, remove the token from redis along with client side.As we are cross checking in redis, when user logs out and try to access with same token system will not find token in redis, so handle it and throw Unauthenticated error.

• How to invalidate all tokens of same user when user changes password?

• How to implement logout from all devices feature?

  Solution: As we are storing tokens in redis either we have to search for all tokens related to given user and delete them from redis or store tokens in database too when user signs in, find out all tokens related to a user, get token ids and delete them from redis. Storing in db is better as dbs are better at find operations.

If you just want to remove the token, it will be simple as removing it from the front end application, In you case clear the cookies that stores the token

On the other hand if you mean to invalidate the token, there is couple of ways to do it, below are some ways

(1) If all the token ever generated is stored in backend, It will be just simple as clearing that storage, if tokens have been mapped to users you can just clear tokens for a particular user.

(2) You can add a date field like "invalidate_before" along with user which should be updated at a event of changing password, logout from all devices etc. Simply update the invalidate_before to currentTime() on such events. Every time a new token is created, add the created time in token payload, to validate the token on incoming request just check if the created time in payload is greater than invalidate_before time for that user in db

(3) When you create a new user, create a secret for just that user, then you can sign every user token with that specific secret, and just like in (2) events like changing password, logout from all devices etc, Should create a new secret. This way also you can invalidate by checking the token signature.

overhead with (2) and (3) is that, validation will be a 2 step process and it involves db reading

EDIT: For (3) you may use a salt instead (final secret will be common secret + salt for particular user), So that you hava a way to invalidate either a single user's token by changing salt or the all user's token by changing common secret

Can we Save a random JWT secret in the DB when new user is created? If we want to sign out all devices, just generate new Secret, so all OLD Tokens are invalid now. And for normal Logout, just delete the Token in the Front End