Menu
I previously asked a long question regarding the security of JWT tokens but I want to focus specifically on JWT token revocation here. I am using JWT as my primary authentication mechanism for authenticating mobile clients of a mobile application. My question is: Is it worth implementing token revocation? Currently, I am using a short lifetime for my tokens and I am relying on TLS to prevent tokens from being stolen by unauthorized users. I have not implemented token revocation. But basically this means that if a token is stolen somehow, there is no way to revoke it. What concerns me more is that when a user logs out of the application, the last token they were using still works if I can't revoke it. And it also means that I cannot place a limit on the number of tokens a user can request since I'm not keeping track of any tokens that are issued. I've seen many applications that just store all issued tokens in the database, allowing them to revoke and regulate tokens. But this just seems to defeat the purpose of using JWT. Is it worth adding such complexity or is my current system secure?
Thanks in advance. I appreciate any help.
501
The most common way to revoke access to resources protected by a JWT involves setting its duration to a short period of time and revoking the refresh token so that the user can't generate a new token.
The token can be used to access the application If your JWT is stolen or compromised, then the attacker has full access to your account. The attacker can send requests to applications, pretending to be you, and can make potentially harmful changes.
While doing that server would be able to close all the user sessions but it won't be able to invalidate the JWT token as it's stateless and an immutable object. This can quickly become a problem - when a user logs out, the JWT token has to be invalidated for further use.
A revoke token request causes the removal of the client permissions associated with the specified token used to access the user's protected resources. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.
Whether it's worth it is difficult for anyone here to assess. It depends on what you are protecting and what risks you're trying to mitigate.
You can use reference tokens if you deem it necessary to be able to revoke the tokens. It does force the services consuming these tokens to talk to the authorization server which degrades scalability and introduces a single point of failure.
There are initiatives being developed to prevent token theft. Take a look at the Token Binding Protocol and Proof Key for Code Exchange by OAuth Public Clients.
187
I think you should consider the possibility that someone can extract a token, regardless of how you've secured it. It exists on a device you have no control over.
Rather than pass along a token, why don't you negotiate a secret key with the client and your server? They can use that key to sign their requests to your server and you can keep track of those secrets -- even revoke them if someone signs out. This allows you to keep expirations on the signatures low, so even if they are captured they are only good for a couple minutes.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
