How to revoke a JWT token | The JWT lifetime, blacklist and not-before policy

What are JWT tokens? Modern authentication and authorization for microservices th-cam.com/video/9nBu5qtVxMM/w-d-xo.html

I think there is a better way to revoke a JWT token than using a blacklist. If you change the secret stored on the server it makes all the tokens not valid. The way to handle revoking for only one user is to store part of the secret where you normally would store the secret and part on the user record. This prevents leaking the entire secret but allows the user part of the secret to be changed. The user secret can just be a randomly generated string that changes whenever a user changes their password. Another use case would be a token being used for forgotten passwords where you would change the user stored reset secret when the token has been used successfully. It also adds some additional security since every user has a unique secret for their token.

We can have a version field in each tonken's payload, which is a number. We also store each version for each user to redis. On each request we compare the version in token's payload with the corresponding version in the redis, if not equal it means that the token has been invalidated hence the user is forced to refresh their token, then for invalidating a token we just have to increase the version in redis for a specific user.

@PSAfterHours, You recommend to keep the lifetime of a Refresh Token under 20 minutes, but doesn't it mean that if user (for example) leaves our website for more than 20 minutes (not even mentioning going to sleep), he will be forced to log in again on the next visit?

The short version is to just use sessions.
What a shitshow with JWT and loging out!