top | item 33023292

(no title)

vivekv | 3 years ago

I don't quite understand the need for access and session token as a mechanism of expiring sessions. Can we create a signed JWT with the expiration in the body itself? Since it is signed the expiry cannot be tampered with.

discuss

sascha_sl|3 years ago

If you mean access and refresh tokens - both usually have a lifetime in the signed payload.

Your access/ID token is short-lived (~5 minutes). This token is trusted without confirming if the user still has access.

Your refresh token has a longer lifetime (hours to months) and can be used to trade for another access token (and a new refresh token, invalidating the old one), but every time you do this trade your authentication server can also check if the user still exists, is not banned, has not signed out and still has the same claims (username, email, groups...) and either not issue a new token or a token with different claims.

There are proxy servers that will do this entire thing in the background for you and hand you the claims of the current access token in HTTP headers.

Benlights|3 years ago

If there is an expiration in the JWT, logging off is still an issue. You can't log out until the JWT expires.