Invalidating stale software suspend images done

The complexity here is to avoid a server side data store call per request for user information.

invalidating stale software suspend images done-20invalidating stale software suspend images done-86invalidating stale software suspend images done-56

You've essentially made JWT stateful, instead of stateless if you go to the datastore each time. Any other application critical data in the JWT token is changed by the site admin.

(If your site receives a high volume of unauthorized requests, then JWT would deny them without hitting the datastore, which is helpful. You cannot wait for token expiration in these cases. Also, you cannot trust the client not to keep and use a copy of the old token, whether with malicious intent or not.

This is primarily a long comment supporting and building on the answer by @mattway Given: Some of the other proposed solutions on this page advocate hitting the datastore on every request.

If you hit the main datastore to validate every authentication request, then I see less reason to use JWT instead of other established token authentication mechanisms.

There are probably other use cases like that.) Given: Truly stateless JWT authentication cannot be achieved for a typical, real world web app because stateless JWT does not have a way to provide immediate and secure support for the following important use cases: User's account is deleted/blocked/suspended. Therefore: I think the answer from @matt-way, #2 Token Black List, would be most efficient way to add the required state to JWT based authentication.

You have a blacklist that holds these tokens until their expiration date is hit.

This blacklist is only checked during a refresh token request.

Entries are required to live on it as long as the refresh token TTL.

This would render all associated tokens invalid, as the associated user would no longer be able to be found.

I also wanted to note that it is a good idea to include the last login date with the token, so that you are able to enforce a relogin after some distant period of time.

The problem with this method, is that it makes it impossible to keep the user logged in between closes of the client code (depending on how long you make the expiry interval).

Tags: , ,