Confusion with JWT









up vote
0
down vote

favorite












I'm creating an API for a mobile application that will display medical data.



I want to use a JWT token with a refresh token. But I'm really confused with JWT.



As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).



A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).



If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.



Should I use a simple token for my authentication?






jwt







share|improve this question





















  • Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
    – Dez
    yesterday










  • @Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
    – cappie013
    yesterday










  • Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
    – Dez
    yesterday














up vote
0
down vote

favorite












I'm creating an API for a mobile application that will display medical data.



I want to use a JWT token with a refresh token. But I'm really confused with JWT.



As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).



A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).



If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.



Should I use a simple token for my authentication?






jwt







share|improve this question





















  • Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
    – Dez
    yesterday










  • @Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
    – cappie013
    yesterday










  • Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
    – Dez
    yesterday












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm creating an API for a mobile application that will display medical data.



I want to use a JWT token with a refresh token. But I'm really confused with JWT.



As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).



A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).



If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.



Should I use a simple token for my authentication?






jwt







share|improve this question













I'm creating an API for a mobile application that will display medical data.



I want to use a JWT token with a refresh token. But I'm really confused with JWT.



As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).



A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).



If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.



Should I use a simple token for my authentication?






jwt




jwt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked yesterday









cappie013

1,1171019




1,1171019











  • Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
    – Dez
    yesterday










  • @Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
    – cappie013
    yesterday










  • Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
    – Dez
    yesterday
















  • Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
    – Dez
    yesterday










  • @Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
    – cappie013
    yesterday










  • Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
    – Dez
    yesterday















Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
– Dez
yesterday




Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
– Dez
yesterday












@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
– cappie013
yesterday




@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
– cappie013
yesterday












Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday




Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53237449%2fconfusion-with-jwt%23new-answer', 'question_page');

);

Post as a guest






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53237449%2fconfusion-with-jwt%23new-answer', 'question_page');

);

Post as a guest

































































-

Popular posts from this blog

Top Tejano songwriter Luis Silva dead of heart attack at 64

Image
Ramiro Burr's New Blog - to go back: www.ramiroburr.com From Latin rock to reggaeton, boleros to blues,Tex-Mex to Tejano, conjunto to corridos and beyond, Ramiro Burr has it covered. If you have a new CD release, a trivia question or are looking for tour info, post a message here or e-mail Ramiro directly at: musicreporter@gmail.com Top Tejano songwriter Luis Silva dead of heart attack at 64 By Ramiro Burr on October 23, 2008 8:40 AM | Permalink | Comments (12) | TrackBacks (0) UPDATE: Luis Silva Funeral Service details released Visitation 4-9 p.m. Saturday, Rosary service 6 p.m. Saturday at Porter Loring, 1101 McCullough Ave Funeral Service 10:30 a.m. Monday St. Anthony De Padua Catholic Church, Burial Service at Chapel Hills, 7735 Gibbs Sprawl Road. Porter Loring (210) 227-8221 Related New Flash: Irma Laura Lopez: long time record promoter killed in accident NewsFlash: 9:02 a.m. (New comments below) Luis Silva , one of the most well-known and prolif
Read more

ReactJS Fetched API data displays live - need Data displayed static

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box; 0 I'm fetching data from API with axios which is live (counters, date and time etc.). When I display it, browser gets not responding because it gets a lot of requests. What I need just get a first snapshot of live data. Same goes for: var date = new Date; return (<p>date.toLacaleString()</p>) It gets live time (ticking every second) :D I just need date and time at that moment when it gets requested (snapshot). reactjs date time static axios share | improve this question edited Nov 16 '18 at 16:18 Sung M. Kim 17.9k 33 112 165 asked Nov 16 '18 at 13:39 Laurynas Žilinskas Laurynas Žilinskas 8 4 add a comment  |  0 I'm fetching data from API with axios which is live (counters, date and time etc.). When I display it, brow
Read more

Evgeni Malkin

Image
Evgeni Malkin From Wikipedia, the free encyclopedia Jump to navigation Jump to search This name uses Eastern Slavic naming customs; the patronymic is Vladimirovich and the family name is Malkin . Evgeni Malkin Malkin during the 2017 Stanley Cup Finals Born ( 1986-07-31 ) 31 July 1986 (age 32) Magnitogorsk, Russian SFSR, Soviet Union Height 6 ft 3 in (191 cm) Weight 195 [1]  lb (88 kg; 13 st 13 lb) Position Centre Shoots Left NHL team Former teams Pittsburgh Penguins Metallurg Magnitogorsk National team   Russia NHL Draft 2nd overall, 2004 Pittsburgh Penguins Playing career 2003–present Website http://malkin71.com Yevgeni Vladimirovich "Geno" Malkin (Russian: Евге́ний Влади́мирович Ма́лкин , IPA:  [jɪvˈɡʲenʲɪj ˈmaɫkʲɪn] ; [2] [3] born 31 July 1986) is a Russian professional ice hockey centre and alternate captain for the Pittsburgh Penguins of the National Hockey League (NHL). Malkin began his career with his hometown club Me
Read more