• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Understanding JWT Revocation and Introspection in FusionAuth

Scheduled Pinned Locked Moved Solved
Q&A
login token
1
2
622
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wesley
    last edited by 10 Feb 2025, 20:48

    From my understanding of general OAuth2 documentation, even though a JWT is a self-contained token carrying its own state, it should still be possible to determine if it has been revoked by querying the /oauth2/introspect endpoint.

    However, this FusionAuth article suggests otherwise, stating that JWTs cannot be revoked and instead recommends using short expiration times or webhooks to notify services when a JWT has been invalidated.

    Specific Questions:

    1. Is my understanding correct that even if a user’s account is locked, the /oauth2/introspect endpoint will still return a valid response for an existing JWT?
    2. Does FusionAuth provide any built-in mechanism to revoke a JWT after it has been issued?
    W 1 Reply Last reply 10 Feb 2025, 20:55 Reply Quote 0
    • W
      wesley @wesley
      last edited by 10 Feb 2025, 20:55

      1. JWTs Cannot Be Revoked:
        • Once a JWT is issued, it remains valid until it expires. JWTs are decoupled authentication tokens, meaning they do not require continuous validation against a central authority.
        • While OAuth2 includes a token introspection endpoint, it is only useful for access tokens and does not support JWT revocation.
      2. What the /oauth2/introspect Endpoint Does:
        • This endpoint verifies whether an access token is valid based on its signature, expiration time, and format.
        • It does not check whether a user’s account has been locked or disabled.
      3. Impact of a Locked Account on JWTs:
        • If a user’s account is locked, they will not be able to obtain a new access token.
        • However, any previously issued JWTs will continue to be valid until they expire, unless you implement additional measures.
      4. How to Handle JWT Revocation:
        Since OAuth2 does not include JWT revocation natively, you can implement one of the following approaches:
        • Use Short Token Lifetimes: Issue JWTs with short expiration times and rely on refresh tokens for continued access.
        • Leverage Webhooks for Denylisting: Use FusionAuth’s event system to notify services when a user is locked or a token should no longer be valid. Services can then maintain a blacklist of invalidated JWTs.

      For more details, refer to:

      • Revoking JWTs in FusionAuth
      1 Reply Last reply Reply Quote 0
      • W wesley has marked this topic as solved on 10 Feb 2025, 20:55
      1 out of 2
      • First post
        1/2
        Last post