security - Why can't JWT refresh tokens be revoked? -


i'm trying wrap head around json web tokens, , make sure i'm not shooting myself (and users) in foot. thus, came across post stop using jwt sessions and, more specifically, the rebuttals counterpoints.

one of counterpoints inability invalidate tokens can combated setting short expiration time , use refresh tokens allow user fetch new tokens without having login again. rebuttal "you can't revoke long-term tokens, means you're square one."

how come can't revoke long-term tokens? wouldn't need passed authentication server, can check list of invalidated tokens (or have deleted refresh token database) , not supply new jwt?

a refresh token can revoked. authentication server issues long term refresh token each client , must keep track of in order validate refresh request.

the refresh token not have self-contained jwt , therefore must stored on server. server associates refresh token client account , delete next refresh request requires new end-user authentication.

this sample authentication response includes refresh token of openidconnect(an oauth2 extension)

http/1.1 200 ok content-type: application/json cache-control: no-store pragma: no-cache  {  "access_token": "slav32hkkg",  "token_type": "bearer",  "refresh_token": "8xloxbtzp8",  "expires_in": 3600,  "id_token": "eyjhbgcioijsuzi1niig..." } 

Comments

Popular posts from this blog

resizing Telegram inline keyboard -

command line - How can a Python program background itself? -

php - "cURL error 28: Resolving timed out" on Wordpress on Azure App Service on Linux -