JTI-JWT ID的使用

在学习JWT的使用中，关于给的id选项很好奇，因为服务器不需要存储token的相关信息，感觉这个id字段完全多余。

于是去查了一下RFC 7591中的定义：

The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case- sensitive string. Use of this claim is OPTIONAL.

ID的作用应该是为了防止Token被再一次传播，但是要求这个JTI是不能用相同值的（这和网上看到的很多用法示例不同）

在StackOverflow上看到了相似的问题：

https://stackoverflow.com/questions/28907831/how-to-use-jti-claim-in-a-jwt

Indeed, storing all issued JWT IDs undermines the stateless nature of using JWTs. However, the purpose of JWT IDs is to be able to revoke previously-issued JWTs. This can most easily be achieved by blacklisting instead of whitelisting. If you've included the "exp" claim (you should), then you can eventually clean up blacklisted JWTs as they expire naturally. Of course you can implement other revocation options alongside (e.g. revoke all tokens of one client based on a combination of "iat" and "aud").

这个回答验证了自己的想法，JWT ID应该是需要存数据库或缓存，但是全部存储的话是违反JWT的本质的。按照这个回答者的意思，JTI可以用来唤醒黑名单，防止黑名单随着过期而自动消除。具体的唤醒方法在github中有：

https://github.com/auth0/express-jwt#revoked-tokens

var jwt = require('express-jwt');
var data = require('./data');
var utilities = require('./utilities');

var isRevokedCallback = function(req, payload, done){
  var issuer = payload.iss;
  var tokenId = payload.jti;

  data.getRevokedToken(issuer, tokenId, function(err, token){
    if (err) { return done(err); }
    return done(null, !!token);
  });
};

app.get('/protected',
  jwt({secret: shhhhhhared-secret,
    isRevoked: isRevokedCallback}),
  function(req, res) {
    if (!req.user.admin) return res.send(401);
    res.send(200);
  });