JSON Web Token expiration

security spring-security oauth oauth-2.0 jwt
23,732

It's difficult to revoke JWT-based access tokens if not impossible.

How should an access token be represented? There are two major ways.

  1. As a meaningless random string. Information associated with an access token is stored in a database table behind an authorization server.
  2. As a self-contained string which is a result of encoding access token information by base64url or something similar.

A choice between these ways will lead to consequent differences as described in the following table.

enter image description here

See "7. Access Token" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for pros and cons of the ways of access token representation.

If your access tokens are JWT-based, your system has to (1) remember revoked access tokens until they expire. Another compromise is to (2) make lifetime of access tokens short enough and give up revoking them.

Personally, after consideration, I didn't select JWT as access token representation when I implemented an authorization server (Authlete) because it is difficult/impossible to revoke and update JWT-based access tokens once they are issued.

Share:
23,732
Jahid Shohel
Author by

Jahid Shohel

Updated on September 04, 2020

Comments

  • Jahid Shohel
    Jahid Shohel over 3 years

    On most of the JWT (JSON Web Token) tutorial (e.g: this and this) are saying, once validated you can use the incoming token to get client information without validating it from the DB.

    My question is, how invalid user situation is maintained then? What I mean is, lets say a client just got a JWT token which expires in one week. But for very specific reason lets say we decided to invalidate the user, and don't want the user to access our API. But still that user has a token which is valid and user can access the API.

    Of course if we take a round trip to DB for each request then we can validate if the account is valid or invalid. My question is, what is the best way to take care this kind of situation for long lived tokens.

    Thanks in advance.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to manage OAuth flow in mobile application with server
Java Spring JWT with refresh token workflow questions
OAuth2: What is the difference between the JWT Authorization Grant and Client Credentials Grant with JWT client authentication?
How to store access token? (Oauth 2, Auth code flow)
Should jwt web token be encrypted?
What is an opaque token?
Allow OPTIONS HTTP Method for oauth/token request
Does it make sense to store JWT in a database?
JWT refresh token flow
What are the main differences between JWT and OAuth authentication?