Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authorize PHP application permanently to make requests to JWT auth protected API

Maybe I searched with the wrong keywords but I never found anything about the following scenario:

I have both an API with JWT auth (Laravel + tymon/jwt-auth) and a PHP application that should query that API protected by a JWT token.

How can I make sure that the app always is authentificated? After reading a lot of tutorials and article about JWT auth I'm left with this ideas:

  • using a never expiring token which is stored permanently in the consuming application. If I understand it right this could be a security concern because someone who has access to that token has access to the api as long as he want? But I don't understand why this token shouldn't be invalidated if the token has been stolen?
  • refresh the token on every request and invalidate the old one. This implies that the consuming application have to update the token after each request in it's storage (database would make the most sense, I guess). In my opinion this produces a lot of overhead and it doesn't prevent for jwt-auth's refresh_ttl setting.
  • using an additional API request (perhabs cron based?) to a refresh route to prevent the token from expiring. Again there is the jwt-auth's refresh_ttl problem I think.

I wonder why there seems to be no discussions/articles about that scenario. Any help on that subject I would very much welcome!

like image 454
Lars Avatar asked Nov 07 '16 18:11

Lars


1 Answers

You don't want your user logging in every time but you also don't want them to be logged forever.

Here are my thoughts

  • I have worked with 1 year tokens for comercial applications, I was using it for low level third party developers, the api concept was already overwhelming for them so I went easy on the auth thingy. Once every year their application broke and they had to reach out to get the new token, bad design but it worked.

  • Refreshing your token on every request will kill your performance and let attackers have a consistent way to break/predict your key, no good.

  • In my opinion, this is your most elegant suggestion. You could use some PWA features to accomplish that.

I would suggest increasing the refresh_ttl to 30 days and keep the ttl on one hour. If you're using SPA or heavy js apps: On your javascript you could do an ajax setup (or prototype or whatever your javascript framework uses for oop) and have a call to refresh whenever you get a .

If you're using just common page refresh for your apps, store you JWT on a cookie, then your application can refresh it whenever it needs and there will be no special js to make. HTTPS will take care of security.

like image 191
Magus Avatar answered Oct 01 '22 12:10

Magus