11

I have a laravel REST API that uses tymondesigns/jwt-auth for authentication and want to scale application from single server to multi server configuration with a load balancer in front.

The flow uses RefreshToken middleware and essentially a token is invalidated after every request and a new one is returned along with the response. (https://github.com/tymondesigns/jwt-auth/wiki/Authentication)

How is jwt going to manage invalidated tokens in a multi server configuration where the token is invalidated using one server and a new request using the invalidated token is hit on another server?

dannysood
  • 1,129
  • 3
  • 18
  • 36
  • 1
    Why a new request should go with an invalidated token ? Doesn't the user get's the new valid token? – Alex7 Oct 09 '15 at 09:59
  • 2
    that exactly is the security concern. If a hacker gets his hands on a invalidated token (ignoring the how he gets it part) , that token may not be invalidated for another server in the cluster configuration. Hence he can use it valid requests. – dannysood Oct 11 '15 at 10:11

1 Answers1

2

The right way would be to include a jti claim together with exp and iat claims.

Another way is (if you can) to include in your token a server id (or unique key). You can implement a server-to-server jwt protocol, but I think this would be expensive.

Another way is for you to have to sync the tokens between your servers. I would use a memcached daemon (maybe on your front server) that will maintain a list of newly invalidated tokens. If the token is only valid for one request, the memcached will receive the invalidated token as soon as it is used (maybe right in the RefreshToken middleware). Based on the token timestamp, you can decide if the token is invalid (without going to the memcached server) or, if it's pretty new, you will check in the memcached list of consumed tokens. The memcached will also have an expire time. There are many advantages of this method (you can use tags, for example). If you think of this list as a log file, you can still say you did not invalidate the stateless principle :)

Hope that helps.

Community
  • 1
  • 1
Alex
  • 810
  • 9
  • 16