Revoking JWTs (JSON Web Tokens)

This is a good article! fusionauth looks cool =)<p>Here are some things to consider though (I work on this problem a lotttt):<p>1. Do you (as the app developer) really care about security that much? If not, just go with local validation on your JWTs and understand that there is a window of time, whatever your token lifetime is, that you will be at risk for compromise and abuse. If you do care, continue down the list, if not, just don&#x27;t worry about it.<p>2. So you care about security, yey! Now, your problem is this: what level of risk are you OK with? If you&#x27;re ok with NO risk, continue reading. Otherwise: set your JWT expiration time to the amount of risk you&#x27;re ok with. EG: 1 minute, 5 minute, 1 hour, 1 day, etc.<p>3. OK! So you&#x27;re REALLY serious about security and want no risk. Now we&#x27;re talking! You really only have one choice: validate your JWTs centrally to ensure that a user hasn&#x27;t been deleted, token revoked, etc. But now you have to decide the best way to do this! Here are your options:<p>A) You can validate tokens centrally on every request with the IdP: this is basically the same thing as normal old session management: you check the session against a DB to validate it.<p>B) You create a cache of tokens that are blacklisted (aka: a blacklist), so that you can do an O(1) lookup to see if a token is expired. The only problem? This is usually centralized, too! So no real benefit over option (A) except that it&#x27;s a bit quicker (if you don&#x27;t make mistakes w&#x2F; cache invalidation, etc.).<p>C) You do what this article talks about: you distribute your blacklist directly to your edges: one way to do this is with webhooks, websockets, or really just about any method of syncing data between places. This is a great approach, but unfortunately, a lot more can go wrong: what if your webhook doesn&#x27;t get processed quickly enough? What if your client breaks and stops being able to accept webhooks? What if the webhook server stops firing or gets overloaded?<p>In my personal opinion, (A) is the best choice, because it&#x27;s the simplest, the hardest to get wrong, and can always be cached to speed things up. The only problem with (A)? The only problem is that if you&#x27;re doing it this way, why use a JWT at all? Why not just use a normal old cryptographically signed session ID? Not much benefit, IMO.

The strategies tend to be:<p>1. shorter lifetimes with no other revocation system. This works well if you go back to a central party which has the actual business logic&#x2F;state to decide whether to issue a new token<p>2. token introspection API, possibly with caching to reduce network calls&#x2F;user latency<p>3. API-based blacklist with invalidated token identifiers (either JTI or SID)<p>In the first two approaches you are trying to prevent state from being pushed out to the apps at the edges.<p>The third approach is what I took with Distributed Token Validity API, which was basically a distributed system (via state replication or fetch + cache) to move the minimal state needed as close to the app as feasible.

I think it really depends... I don&#x27;t know that there is a perfect strategy here, but even reducing to a 5-minute token with refresh, I&#x27;m not sure the 5 minute window is that bad. And if it is, there are more serious issues at play.<p>One of the advantages of JWT, especially with public&#x2F;private key signing is that you can verify a token without a potentially long network&#x2F;service request or lookup adding latency to every API request. And if one API passes down to internal APIs it&#x27;s even more of an impact.<p>In the end, pick your poison, but if you want to expire them, may as well generate an identifier as a token&#x2F;cookie and lookup against Redis, or another session database&#x2F;table for the identifier itself. Having the data in the payload doesn&#x27;t do much good if you&#x27;re validating against another service for every request anyway. If you want broader replication Cassandra or a similar database with nodes for replication near each server could help mitigate things, again no need to include the JWT payload in the token at that point though.<p>Using hooks to propagate revocations is almost worse, because it&#x27;s fragile and may see misses in practice.

My friends argue about the best strategies for this. Will send to them to stoke the fires.

This is very informative.<p>FusionAuth seems like an amazing CIAM for anyone to use. I will definitely check it out.<p>Is the core open source? I wonder what language it’s written in?