FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Understanding JWT Revocation and Introspection in FusionAuth

    Scheduled Pinned Locked Moved Solved
    Q&A
    login token
    1
    2
    484
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      From my understanding of general OAuth2 documentation, even though a JWT is a self-contained token carrying its own state, it should still be possible to determine if it has been revoked by querying the /oauth2/introspect endpoint.

      However, this FusionAuth article suggests otherwise, stating that JWTs cannot be revoked and instead recommends using short expiration times or webhooks to notify services when a JWT has been invalidated.

      Specific Questions:

      1. Is my understanding correct that even if a user’s account is locked, the /oauth2/introspect endpoint will still return a valid response for an existing JWT?
      2. Does FusionAuth provide any built-in mechanism to revoke a JWT after it has been issued?
      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        1. JWTs Cannot Be Revoked:
          • Once a JWT is issued, it remains valid until it expires. JWTs are decoupled authentication tokens, meaning they do not require continuous validation against a central authority.
          • While OAuth2 includes a token introspection endpoint, it is only useful for access tokens and does not support JWT revocation.
        2. What the /oauth2/introspect Endpoint Does:
          • This endpoint verifies whether an access token is valid based on its signature, expiration time, and format.
          • It does not check whether a user’s account has been locked or disabled.
        3. Impact of a Locked Account on JWTs:
          • If a user’s account is locked, they will not be able to obtain a new access token.
          • However, any previously issued JWTs will continue to be valid until they expire, unless you implement additional measures.
        4. How to Handle JWT Revocation:
          Since OAuth2 does not include JWT revocation natively, you can implement one of the following approaches:
          • Use Short Token Lifetimes: Issue JWTs with short expiration times and rely on refresh tokens for continued access.
          • Leverage Webhooks for Denylisting: Use FusionAuth’s event system to notify services when a user is locked or a token should no longer be valid. Services can then maintain a blacklist of invalidated JWTs.

        For more details, refer to:

        • Revoking JWTs in FusionAuth
        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved on
        • First post
          Last post