Reputation: 53
Revoke refresh token
I am currently build a security service that issue jwt token and refresh token using asp.net and microsoft jwt library. My question are, I have refresh token from users that store in db:
- Should I replace refresh token each time user request for new access token by using current refresh token or just mark that refresh token that is revoked or some kind of flag?
- Should I delete or mark it with flag when there is a request for revoking token?
Thanks.
Upvotes: 2
Views: 1733
Answers (1)
Reputation: 522516
One standard way of dealing with blacklisted JWT tokens is to maintain a blacklist cache of tokens which should no longer be honored. You would typically engineer the setup such that the number of JWT inside the blacklist cache at any given time would be relatively small. Since a cache is reasonably fast (about 100 times faster than a database lookup), checking the cache with each incoming request is not a performance killer.
The workflow for an incoming JWT would then be modified to this:
- Check the claims of the incoming JWT (e.g. exp)
- Check the checksum, to make sure client has not tampered with the JWT
- Hit the blacklist cache, verify that JWT has not been revoked
- Grant access to server side system
Regarding grooming the blacklist cache, one common approach is to assign an expiry time to each JWT. Then, when a given access or refresh token expires, it can be removed from the cache. Redis, as an example, supports automatic deletion of stale cache entries using expiry time.
Upvotes: 3
Related Questions
- Revoking JWT with No Expiration
- How can I revoke a JWT token?
- How to revoke refresh token on password reset?
- JWT use refresh Token as access Token
- Invalidating Jwt Token without a blacklist
- How to revoke refresh token in Identityserver4?
- Refresh expired JWT token
- How to use refresh tokens in jwt authentication
- Why can't JWT refresh tokens be revoked?
- Revoke JWT Oauth2 Refresh Token