Should we store JWTs in database?

Question

While creating/assigning the JWTs to users, should we also store them in our databases?

The negatives/cons of storing tokens in database would be, that all the data in the payload of the JWT token is already stored in the database, hence storing the token will storing the redundant data, also the verification of JWTs happens through the signature keys which do not change for a longer period of time but,

The positives/pro I can see of storing the JWT token in our database would be that even after assigning the token we will have the power to invalidate or deactivate the existing the tokens even before the expiry.

One of the use-cases for storing the tokens would be that tokens will be invalidated when there is an update in the auth scheme and all the old tokens have to be invalidated.

Answer 1

The positives/pro I can see of storing the JWT token in our database would be that even after assigning the token we will have the power to invalidate or deactivate the existing the tokens even before the expiry

This only happens if you're validating the token against the database, in which case why use JWT? The whole point of having a self-contained, signed token is that you don't need to go to the database to verify that the user is signed in.

Answer 2

So you have implemented OAuth2 but you have a 'security' specifications from the 90s which say

"the user's session must expire after 15 min"

or

"When the user clicks log out their session is no longer valid"

One way to get around this is to implement token revocation. There are a number of ways of achieving this but storing the tokens on a db and marking them revoked is probably the simplest for a small setup.

The problem with revocation is that it requires instant consistency across all your resource servers, exactly the thing you are trying to get away from!

If you can sell short access token expiry as a superior solution then great, if not you are stuck with what is essentially a hack.