Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can Jwt-Auth in laravel handle invalidated tokens in a multi server configuration?

I have a laravel REST API that uses tymondesigns/jwt-auth for authentication and want to scale application from single server to multi server configuration with a load balancer in front.

The flow uses RefreshToken middleware and essentially a token is invalidated after every request and a new one is returned along with the response. (https://github.com/tymondesigns/jwt-auth/wiki/Authentication)

How is jwt going to manage invalidated tokens in a multi server configuration where the token is invalidated using one server and a new request using the invalidated token is hit on another server?

like image 714
dannysood Avatar asked Sep 30 '15 21:09

dannysood


1 Answers

The right way would be to include a jti claim together with exp and iat claims.

Another way is (if you can) to include in your token a server id (or unique key). You can implement a server-to-server jwt protocol, but I think this would be expensive.

Another way is for you to have to sync the tokens between your servers. I would use a memcached daemon (maybe on your front server) that will maintain a list of newly invalidated tokens. If the token is only valid for one request, the memcached will receive the invalidated token as soon as it is used (maybe right in the RefreshToken middleware). Based on the token timestamp, you can decide if the token is invalid (without going to the memcached server) or, if it's pretty new, you will check in the memcached list of consumed tokens. The memcached will also have an expire time. There are many advantages of this method (you can use tags, for example). If you think of this list as a log file, you can still say you did not invalidate the stateless principle :)

Hope that helps.

like image 118
Alex Avatar answered Sep 17 '22 18:09

Alex