Confusion with JWT
up vote
0
down vote
favorite
I'm creating an API for a mobile application that will display medical data.
I want to use a JWT token with a refresh token. But I'm really confused with JWT.
As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).
A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).
If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.
Should I use a simple token for my authentication?
jwt
add a comment |
up vote
0
down vote
favorite
I'm creating an API for a mobile application that will display medical data.
I want to use a JWT token with a refresh token. But I'm really confused with JWT.
As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).
A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).
If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.
Should I use a simple token for my authentication?
jwt
Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens ofcurrentTime - tokenIssuedTIme > TTL
(being TTL the time you want to allow a token to be used).
– Dez
yesterday
@Dez I'm using a Ruby lib. You don't even need to do that, you can just set aexp
attributes to the token
– cappie013
yesterday
Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm creating an API for a mobile application that will display medical data.
I want to use a JWT token with a refresh token. But I'm really confused with JWT.
As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).
A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).
If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.
Should I use a simple token for my authentication?
jwt
I'm creating an API for a mobile application that will display medical data.
I want to use a JWT token with a refresh token. But I'm really confused with JWT.
As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).
A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).
If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.
Should I use a simple token for my authentication?
jwt
jwt
asked yesterday
cappie013
1,1171019
1,1171019
Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens ofcurrentTime - tokenIssuedTIme > TTL
(being TTL the time you want to allow a token to be used).
– Dez
yesterday
@Dez I'm using a Ruby lib. You don't even need to do that, you can just set aexp
attributes to the token
– cappie013
yesterday
Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday
add a comment |
Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens ofcurrentTime - tokenIssuedTIme > TTL
(being TTL the time you want to allow a token to be used).
– Dez
yesterday
@Dez I'm using a Ruby lib. You don't even need to do that, you can just set aexp
attributes to the token
– cappie013
yesterday
Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday
Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of
currentTime - tokenIssuedTIme > TTL
(being TTL the time you want to allow a token to be used).– Dez
yesterday
Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of
currentTime - tokenIssuedTIme > TTL
(being TTL the time you want to allow a token to be used).– Dez
yesterday
@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a
exp
attributes to the token– cappie013
yesterday
@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a
exp
attributes to the token– cappie013
yesterday
Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday
Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53237449%2fconfusion-with-jwt%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of
currentTime - tokenIssuedTIme > TTL
(being TTL the time you want to allow a token to be used).– Dez
yesterday
@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a
exp
attributes to the token– cappie013
yesterday
Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday