Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JSON Web Token expiration

On most of the JWT (JSON Web Token) tutorial (e.g: this and this) are saying, once validated you can use the incoming token to get client information without validating it from the DB.

My question is, how invalid user situation is maintained then? What I mean is, lets say a client just got a JWT token which expires in one week. But for very specific reason lets say we decided to invalidate the user, and don't want the user to access our API. But still that user has a token which is valid and user can access the API.

Of course if we take a round trip to DB for each request then we can validate if the account is valid or invalid. My question is, what is the best way to take care this kind of situation for long lived tokens.

Thanks in advance.

like image 537
Jahid Shohel Avatar asked May 31 '17 09:05

Jahid Shohel


People also ask

How long is a JSON Web token?

This first JWT had a body approximately 180 characters in length; the total encoded token length was between 300 and 600, depending on the signing algorithm used. The next JWT payload was of approximately 1800 characters, so ten times the size of the previous token.

What is the lifespan of JWT token?

May 3, 2022 When using the Okta authorization server, the lifetime of the JWT tokens is hard-coded to the following values: ID Token: 60 minutes. Access Token: 60 minutes. Refresh Token: 100 days.

How can I get my JWT token to expire?

There are two methods of registering the expiry of the token both are shown below with an explanation. Creating an expression of an expiry time. Providing expiry time of JWT token in the options argument of the method.


1 Answers

It's difficult to revoke JWT-based access tokens if not impossible.

How should an access token be represented? There are two major ways.

  1. As a meaningless random string. Information associated with an access token is stored in a database table behind an authorization server.
  2. As a self-contained string which is a result of encoding access token information by base64url or something similar.

A choice between these ways will lead to consequent differences as described in the following table.

enter image description here

See "7. Access Token" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for pros and cons of the ways of access token representation.

If your access tokens are JWT-based, your system has to (1) remember revoked access tokens until they expire. Another compromise is to (2) make lifetime of access tokens short enough and give up revoking them.

Personally, after consideration, I didn't select JWT as access token representation when I implemented an authorization server (Authlete) because it is difficult/impossible to revoke and update JWT-based access tokens once they are issued.

like image 167
Takahiko Kawasaki Avatar answered Oct 13 '22 07:10

Takahiko Kawasaki