I have a laravel REST API that uses tymondesigns/jwt-auth for authentication and want to scale application from single server to multi server configuration with a load balancer in front.
The flow uses RefreshToken middleware and essentially a token is invalidated after every request and a new one is returned along with the response. (https://github.com/tymondesigns/jwt-auth/wiki/Authentication)
How is jwt going to manage invalidated tokens in a multi server configuration where the token is invalidated using one server and a new request using the invalidated token is hit on another server?
The right way would be to include a jti claim together with exp
and iat
claims.
Another way is (if you can) to include in your token a server id (or unique key). You can implement a server-to-server jwt protocol, but I think this would be expensive.
Another way is for you to have to sync the tokens between your servers. I would use a memcached daemon (maybe on your front server) that will maintain a list of newly invalidated tokens. If the token is only valid for one request, the memcached will receive the invalidated token as soon as it is used (maybe right in the RefreshToken middleware). Based on the token timestamp, you can decide if the token is invalid (without going to the memcached server) or, if it's pretty new, you will check in the memcached list of consumed tokens. The memcached will also have an expire time. There are many advantages of this method (you can use tags, for example). If you think of this list as a log file, you can still say you did not invalidate the stateless principle :)
Hope that helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With