Invalidating JSON Web Tokens

前端 未结 28 2424
夕颜
夕颜 2020-11-22 06:17

For a new node.js project I\'m working on, I\'m thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store conta

相关标签:
28条回答
  • 2020-11-22 07:05

    I am going to answer If we need to provide logout from all devices feature when we are using JWT. This approach will use database look-ups for each requests. Because we need a persistence security state even if there is a server crash. In the user table we will have two columns

    1. LastValidTime (default: creation time)
    2. Logged-In (default: true)

    Whenever there is a log out request from the user we will update the LastValidTime to current time and Logged-In to false. If there is a log in request we wont change LastValidTime but Logged-In will be set to true.

    When we create the JWT we will have the JWT creation time in the payload. When we authorize for a service we will check 3 conditions

    1. Is JWT valid
    2. Is JWT payload creation time is greater than User LastValidTime
    3. Is user Logged-In

    Lets see a practical scenario.

    User X has two devices A, B. He logged in to our server at 7 pm using device A and device B. (lets say JWT expire time is 12 hrs). A and B both have JWT with createdTime : 7pm

    At 9 pm he lost his device B. He immediately log out from the device A. That means Now our database X user entry has LastValidTime as "ThatDate:9:00:xx:xxx" and Logged-In as "false".

    At 9:30 the Mr.Thief tries to log in using device B. We will check the database even the Logged-In is false so we wont allow.

    At 10 pm Mr.X log in from his device A. Now device A has JWT with created time : 10pm. Now database Logged-In is set to "true"

    At 10:30 pm Mr.Thief tries to log in. Even though the Logged-In is true. The LastValidTime is 9 pm in the database but B's JWT has created time as 7pm. So he wont be allowed to access the service. So using device B without having the password he cannot use already created JWT after one device log out.

    0 讨论(0)
  • 2020-11-22 07:05

    IAM solution like Keycloak (which I'have worked on) provide Token Revocation endpoint like

    Token Revocation Endpoint /realms/{realm-name}/protocol/openid-connect/revoke

    Of if you simply want to logout an useragent(or user), you could call an endpoint as well(this would simply invalidate the Tokens). Again, in the case of Keycloak, the Relying Party just needs to call the endpoint

    /realms/{realm-name}/protocol/openid-connect/logout

    Link in case if you want to learn more

    0 讨论(0)
  • 2020-11-22 07:06
    1. Give 1 day expiry time for the tokens
    2. Maintain a daily blacklist.
    3. Put the invalidated / logout tokens into the blacklist

    For token validation, check for the token expiry time first and then the blacklist if token not expired.

    For long session needs, there should be a mechanism for extending token expiry time.

    0 讨论(0)
  • 2020-11-22 07:08

    Unique per user string, and global string hashed together

    to serve as the JWT secret portion allow both individual and global token invalidation. Maximum flexibility at the cost of a db lookup/read during request auth. Also easy to cache as well, since they are seldom changing.

    Here's an example:

    HEADER:ALGORITHM & TOKEN TYPE
    
    {
      "alg": "HS256",
      "typ": "JWT"
    }
    PAYLOAD:DATA
    
    {
      "sub": "1234567890",
      "some": "data",
      "iat": 1516239022
    }
    VERIFY SIGNATURE
    
    HMACSHA256(
      base64UrlEncode(header) + "." +
      base64UrlEncode(payload), 
      HMACSHA256('perUserString'+'globalString')
    )
    
    where HMACSHA256 is your local crypto sha256
      nodejs 
        import sha256 from 'crypto-js/sha256';
        sha256(message);
    

    for example usage see https://jwt.io (not sure they handle dynamic 256 bit secrets)

    0 讨论(0)
提交回复
热议问题