0

For my project, I'm implementing OAuth2 authentication framework that uses Bearer tokens.

From a quick search, it looks like JWT tokens are the mainstream choice for Bearer tokens today.

If I would use a "dumb" token that doesn't encode any information, I would be storing this token in a database, alongside all the related parameters (token's user, issue date, expiration date, etc.).

From JWT's documentation I understood that I can avoid this overhead by implementing this flow:

  1. User authenticates with one of the supported methods
  2. Authentication service generates JWT token and encodes the following parameters into it: user id, authentication method used, issue date, expiration date
  3. Authentication service encrypts and then signs the token
  4. The token is sent to the user for subsequent usage

The encryption step is desirable because I wouldn't like to advertise user IDs.

My understanding is that if I use the above method, I can avoid storing the mapping between access tokens and users, and rely entirely on the user ID information provided with the token.

What disturbs me with this approach, is that it looks like I won't have the option to "revoke" access tokens.

In other words - even if access token will become compromised, I won't be able to disable it (unless I know the exact compromised token, which is not the case).

Is this a real concern, or I'm just missing somethig? If this concern is real, how can I work around it?

Vasiliy
  • 16,221
  • 11
  • 71
  • 127
  • 1
    You're right, a JWT is valid until expires and you shouldn't store it. You can build a revocation list but the usual thing is to let the token expire and adjust the expiration period to your needs. See https://stackoverflow.com/questions/37507714/invalidating-client-side-jwt-session – pedrofb Jul 27 '17 at 09:08

1 Answers1

1

Access tokens self-contained and are valid as long as the expiration time is valid. There is no specification around invalidating them in the actual spec. Depending on the level of security you need you can adjust the validation time of the tokens, from fewer minutes to hours. Typically the validation time is set for an hour.

If you require higher level of security, you can use Reference tokens. Reference tokens doesn't carry any information, they are plain strings. But, the server (or whoever is consuming these tokens) has to contact the Token Provider to exchange the reference tokens for actual response content. But, these tokens can be revoked if they are compromised.

Please refer to this link for more information and some suggestions on how to overcome some of the downsides of Reference tokens (like back channel communication/ extra round trip to Token Provider). Please let me know if you have any questions.

-Soma.

Soma Yarlagadda
  • 2,875
  • 3
  • 15
  • 37