Confusion with JWT









up vote
0
down vote

favorite












I'm creating an API for a mobile application that will display medical data.



I want to use a JWT token with a refresh token. But I'm really confused with JWT.



As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).



A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).



If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.



Should I use a simple token for my authentication?










share|improve this question





















  • Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
    – Dez
    yesterday










  • @Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
    – cappie013
    yesterday










  • Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
    – Dez
    yesterday














up vote
0
down vote

favorite












I'm creating an API for a mobile application that will display medical data.



I want to use a JWT token with a refresh token. But I'm really confused with JWT.



As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).



A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).



If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.



Should I use a simple token for my authentication?










share|improve this question





















  • Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
    – Dez
    yesterday










  • @Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
    – cappie013
    yesterday










  • Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
    – Dez
    yesterday












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm creating an API for a mobile application that will display medical data.



I want to use a JWT token with a refresh token. But I'm really confused with JWT.



As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).



A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).



If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.



Should I use a simple token for my authentication?










share|improve this question













I'm creating an API for a mobile application that will display medical data.



I want to use a JWT token with a refresh token. But I'm really confused with JWT.



As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).



A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).



If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.



Should I use a simple token for my authentication?







jwt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked yesterday









cappie013

1,1171019




1,1171019











  • Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
    – Dez
    yesterday










  • @Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
    – cappie013
    yesterday










  • Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
    – Dez
    yesterday
















  • Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
    – Dez
    yesterday










  • @Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
    – cappie013
    yesterday










  • Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
    – Dez
    yesterday















Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
– Dez
yesterday




Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
– Dez
yesterday












@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
– cappie013
yesterday




@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
– cappie013
yesterday












Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday




Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
yesterday

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53237449%2fconfusion-with-jwt%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53237449%2fconfusion-with-jwt%23new-answer', 'question_page');

);

Post as a guest














































































Popular posts from this blog

Top Tejano songwriter Luis Silva dead of heart attack at 64

政党

天津地下鉄3号線