Reputation: 4193
Why not just use a long TTL reference token in replace of access and refresh JWT tokens?
I'm building both a mobile and single-page app and have been evaluating auth techniques that allow for immediate access/token revocation. I see Auth0 and Stormpath use both access and refresh tokens in addition to allowing for revoking tokens.
What's the point of a refresh token and short TTL access token if you're maintaining a list of valid tokens and checking against that upon reach request received on the resource server? Why not create one reference token with the same TTL as you would set on the refresh token and now you don't have to worry about refreshing the access token (right before it's about expire) and have one less token to worry about?
Upvotes: 1
Views: 1097
Answers (2)
Reputation: 11
As of today IdentityServer provides a reference tokens feature as well as refresh/access. According to your requerements it's absolutely right to use reference tokens. This way you will be able to manage it's validity internally and immediately. As docs say:
Reference tokens allow for immediate revocation (by deleting the token data from your IdentityServer data store), whereas a JWT can only be invalidated via expiration.
However, this solution comes with trade-offs:
+ you have complete control over the token's validity
+ your requests from clients are more concise
- some latency introduced due to the need for a database request to check the token
Upvotes: 1
Reputation: 23436
Revoking refresh tokens is typically something a resource owner does when he/she thinks the token may have been compromised (phone/laptop lost for example).
Issuing a refresh token and forcing the client to refresh the short-lived access token allows the authorization server to periodically validate that the subject (logged in user) is still valid.
If you issue access tokens that are long lived, you lose the ability to revoke access for users that left the organization.
When someone leaves an organization, the admin wants to delete their account from the identity provider and be assured that they can no longer access any resources. Long lived access tokens would force an admin to also go into possibly multiple authorization servers and delete the access tokens for that user.
Upvotes: 1
Related Questions
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Why not store JWT access token in memory and refresh token in cookie?
- auth. Refresh token and access token flow?
- Generating refresh tokens and access tokens in node server
- Why do we need refresh tokens in JWT
- JWT authentication and the purpose of refresh token
- Best strategy for storing and maintaining JWT refresh tokens in the database?
- Why use JWT refresh token
- Refresh tokens and JWT tokens Interaction
- How is using JWT refresh tokens and short lived access tokens not massively insecure?