JSON Web Token expiration

Question

On most of the JWT (JSON Web Token) tutorial (e.g: this and this) are saying, once validated you can use the incoming token to get client information without validating it from

Answer 1

It's difficult to revoke JWT-based access tokens if not impossible.

How should an access token be represented? There are two major ways.

1. As a meaningless random string. Information associated with an access token is stored in a database table behind an authorization server.
2. As a self-contained string which is a result of encoding access token information by base64url or something similar.

A choice between these ways will lead to consequent differences as described in the following table.

See "7. Access Token" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for pros and cons of the ways of access token representation.

If your access tokens are JWT-based, your system has to (1) remember revoked access tokens until they expire. Another compromise is to (2) make lifetime of access tokens short enough and give up revoking them.

Personally, after consideration, I didn't select JWT as access token representation when I implemented an authorization server (Authlete) because it is difficult/impossible to revoke and update JWT-based access tokens once they are issued.