JSON Web 令牌过期 [英] JSON Web Token expiration
问题描述
在大部分 JWT (JSON Web Token) 教程中(例如:
参见中的7. 访问令牌"OAuth 和 OpenID Connect 的 Full-Scratch 实现者谈论调查结果" 访问令牌表示方式的优缺点.
如果您的访问令牌基于 JWT,您的系统必须(1) 记住已撤销的访问令牌,直到它们过期.另一个折衷方案是(2) 使访问令牌的生命周期足够短并放弃撤销它们.
个人考虑后,在实现授权服务器(Authlete) 因为一旦发布了基于 JWT 的访问令牌,就很难/不可能撤销和更新它们.
On most of the JWT (JSON Web Token) tutorial (e.g: this and this) are saying, once validated you can use the incoming token to get client information without validating it from the DB.
My question is, how invalid user situation is maintained then? What I mean is, lets say a client just got a JWT token which expires in one week. But for very specific reason lets say we decided to invalidate the user, and don't want the user to access our API. But still that user has a token which is valid and user can access the API.
Of course if we take a round trip to DB for each request then we can validate if the account is valid or invalid. My question is, what is the best way to take care this kind of situation for long lived tokens.
Thanks in advance.
It's difficult to revoke JWT-based access tokens if not impossible.
How should an access token be represented? There are two major ways.
- As a meaningless random string. Information associated with an access token is stored in a database table behind an authorization server.
- As a self-contained string which is a result of encoding access token information by base64url or something similar.
A choice between these ways will lead to consequent differences as described in the following table.
See "7. Access Token" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for pros and cons of the ways of access token representation.
If your access tokens are JWT-based, your system has to (1) remember revoked access tokens until they expire. Another compromise is to (2) make lifetime of access tokens short enough and give up revoking them.
Personally, after consideration, I didn't select JWT as access token representation when I implemented an authorization server (Authlete) because it is difficult/impossible to revoke and update JWT-based access tokens once they are issued.
这篇关于JSON Web 令牌过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
