JWT | Spring Security
Published in · 5 min read · Nov 1, 2023
--
In my previous post, I discussed the implementation of JWT-based authentication, authorization, and a token refresh mechanism in Spring Boot 3 and Spring Security 6. This post serves as a continuation of that discussion.
To ensure we’re aligned, please review the following topics before proceeding further.
JWTs offer the advantage of being stateless, which eliminates the need to query the database for token validation. This can be beneficial in terms of reducing the database load. However, it becomes a limitation when you want to invalidate a non-expired token.
We have multiple options to achieve it. Let’s discuss all possible options.
- Storing JWTs in a database allows you to track the validity of tokens and identify revoked ones. However, some argue that this approach contradicts the fundamental purpose of using JWTs, which is to maintain statelessness.
- Removing a token from the client effectively prevents that client from making authenticated requests. However, if the token is still valid and falls into the hands of someone else, it remains susceptible…