Can't you keep a whitelist/blacklist of tokens in a memory cache like redis/memcached and go from there? As far as I know that is the standard practice to invalidate non expired sessions tokens.
Yes but if each microservice needs to check a cache on each request, then why use jwt at all, you could just save a classic session (with random token) in that cache as well
The redis cache with invalidated tokens will be much smaller than storing all sessions.
And you can expire the invalidated keys faster (set the invalidated key expiration to the expiration of the JWT)
Not many people revoke sessions, but a lot of people create sessions. Much more efficient to only store and check revocations. The rest can be stateless.
As explained in the article, if that's the case then you can't really trust the JWT anymore only for it's cryptographic signature and you rely on an internal store entry that makes the token valid / invalid.
This makes no benefits as to bearer token or any random string that the server "knows" is a valid authenticated request via internal store, like a DB.
That's discussed in the article in the second paragraph under "Problems with JWT". If you're keeping a cache at each server node then you might as well just use bearer tokens.
Because you're only storing the invalidated tokens and you're only storing them for the length of the token's lifetime (expire the redis key when the JWT expires)
So instead of storing all session tokens indefinitely, you only store invalidated tokens for a short period of time.
jaimehrubiks|3 years ago
hunterb123|3 years ago
And you can expire the invalidated keys faster (set the invalidated key expiration to the expiration of the JWT)
Not many people revoke sessions, but a lot of people create sessions. Much more efficient to only store and check revocations. The rest can be stateless.
wdb|3 years ago
drinchev|3 years ago
This makes no benefits as to bearer token or any random string that the server "knows" is a valid authenticated request via internal store, like a DB.
brunojppb|3 years ago
themenomen|3 years ago
rkagerer|3 years ago
dementiapatent|3 years ago
Makes it easy to track issued tokens and revoke them too.
eli|3 years ago
hunterb123|3 years ago
So instead of storing all session tokens indefinitely, you only store invalidated tokens for a short period of time.