Reputation: 12179
JWT handling expiration with a database
I've been thinking about the same problem lately and would like to know if there are any major pitfalls to my token solution:
- Set expiration to a low value (~15 minutes)
- Every generated JWT also gets added to an "issuedTokens" collection/table for each user
During JWT validation, if the expiration has passed, an "Expired" response would be returned from the server (ex. 401 w/ "Expired" in body). When the client receives this status, it should initiate a refresh process which trades an expired token for a new one.
The refresh endpoint on the server should take an expired token and perform the following:
- Validate token (except expiration)
- Retrieve user ID and check if token is in its issuedTokens collection
- Issue a new JWT
- Remove the expired token from the collection and add the new one
Upon failure of any of these steps, an Unauthorized error should be sent to client which then requires logging in again.
To prevent a never-ending build-up of issued tokens, we can set a TTL on the tokens in the issuedTokens collection. Set the TTL value to the amount of time that a login should be active for before requiring logging in again.
This approach doesn't hit the database unless you keep trying to refresh an expired token. In which case you can make use of a cached blacklist of failed tokens. This can reside next to the application itself if treated as a cache layer.
This is definitely just a work-in-progress solution that I'm about to test out. Let me know your thoughts on it.
Upvotes: 2
Views: 1662
Answers (1)
Reputation: 23436
There are several issues I see with this approach. First of all, if I'm able to steal anyone's JWT token, I can keep geting a new ones by calling your endpoint.
OAuth2 for example mitigates this by requiring the client to send along client credentials when using a refresh token. Some libraries for public clients use session cookies between client and authorization server (not the resource (API) server) to renew tokens.
The other problem is of course the collection of all JWT tokens, which is like a credentials database. If someone manages to steal this, they gain access to your application as any of your users.
Coming up with your own authentication mechanism is extremely difficult to get correct and therefore very risky.
Upvotes: 2
Related Questions
- Revoking JWT with No Expiration
- Invalidating JSON Web Tokens
- JWT Token authentication, expired tokens still working, .net core Web Api
- Single sign-on flow using JWT for cross domain authentication
- JWT (JSON Web Token) automatic prolongation of expiration
- Is a Refresh Token really necessary when using JWT token authentication?
- What are the main differences between JWT and OAuth authentication?
- What if JWT is stolen?
- How do I handle JWT token expiration?
- Handling JWT expiration and JWT payload update