Resources to learn and implement authentication in your application
This is compilation of research on implementing authentication in applications(Covering authentication using JWT for now, more approaches will follow soon)
- Simply remove the token from the client
- Create a token blacklist
- Just keep token expiry times short and rotate them often
- Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials
A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.