Implementing JWT Invalidation with Redis Blacklist in Spring Cloud Gateway

Solution Overview

JWT is stateless, which means it cannot be revoked before its expiration. To support scenarios such as password change, permission update, or logout, a Redis‑backed blacklist (or whitelist) can be used to record token state.

1. Blacklist vs Whitelist

Both approaches store token identifiers in Redis, but the blacklist only records tokens that have been revoked, resulting in lower storage pressure on the server.

2. Blacklist Implementation

The blacklist stores the jti claim of the JWT as the key and sets its TTL to the token's remaining lifetime.

3. Gateway Layer Processing

In the global filter GlobalAuthenticationFilter, the JWT is parsed to extract jti and expiration time. The filter then checks Redis for the presence of the jti; if found, the request is blocked, otherwise it proceeds.

The extracted values are packaged into a JSON payload and passed to downstream microservices.

4. Downstream Microservice Filter

The downstream AuthenticationFilter decrypts the JSON, populates a JwtInformation object (or its subclass LoginVal) with the jti and expiration, making the data available to business logic.

5. Logout Endpoint

The logout API receives the JWT, extracts its jti, and stores it in Redis with an expiration equal to the token's remaining TTL, effectively revoking the token.

Modules Modified

Name

Function

oauth2-cloud-auth-server

OAuth2.0 authentication and authorization service

oauth2-cloud-gateway

Gateway service

oauth2-cloud-auth-common

Common utilities

Testing Steps

Login to obtain a JWT.

Access a protected API with the token – it succeeds.

Call the logout endpoint, which adds the token's jti to the Redis blacklist.

Attempt to access the protected API again – the request is blocked because the token is now blacklisted.

Conclusion

Because JWT is stateless, using Redis to record its jti enables explicit revocation, allowing safe logout and other state‑changing operations.