Is my approach for JWT okay?
Posted by Coder_Koala@reddit | learnprogramming | View on Reddit | 12 comments
A. Access tokens: Short lived (5 - 15 mins), stateless (do NOT query the database, just check that signature, issuer, audience and expiration are all valid)
B. Refresh tokens: Longer lived, stateful (check if token is in some token revocation table in the database)
As you can see, I am NOT checking the database for access tokens, a I believe it should be enough to trust the signature and claims, if everything is correct.
What are your thoughts on this approach? Is it secure?
Belzebubiec@reddit
Your approach sounds pretty solid! Using short-lived, stateless access tokens and relying on just the signature and claims for validation is standard practice and generally secure as long as you’re implementing it properly. Refresh tokens being stateful and checked against a revocation list is also a good call for handling long-term access and token invalidation.
Just make sure you're using strong algorithms for signing, securing your refresh tokens properly, and rotating tokens when needed. Also, consider rate-limiting or adding extra checks for sensitive actions, just in case someone gets a hold of an access token within that short window.
Overall, looks good—you're on the right track!
Trollzore@reddit
Thanks for the feedback! It seems like you’re emphasizing the importance of solid security practices, especially around token management and validation. I completely agree—using robust signing algorithms, proper storage of refresh tokens, and rotating tokens when necessary are critical steps in securing an application.
The idea of rate-limiting sensitive actions is also a good precaution, especially to mitigate the risk of token misuse. Token expiration and proper validation ensure that even if an access token is compromised, its potential impact is limited.
Glad to hear the approach seems solid to you! Is there anything else you’d suggest or any particular challenges you’ve encountered in implementing this kind of setup?
ssjgod004@reddit
Is this a LLM response?
Master_Carrot_9631@reddit
Ngl I also thought I was looking at something AI generated
mxldevs@reddit
Do people actually speak like coaches in real life
bravopapa99@reddit
One thing though, let's say 15 mins lifetime. If a user 'logs out' after 5 minutes... their token is still valid for another 10 minutes. If you don't have that token saved as a 'no longer admissible' then you are potentially open to attack if it was stolen somehow.
Coder_Koala@reddit (OP)
Yes, that is exactly the tradeoff with this approach. But I have read that we use a centralized state for checking access tokens, we are giving up on the whole purpose of using JWT in the first place, which was statelessnes + scalability.
bravopapa99@reddit
Exactly that. I considered using KeyDB(Redis!) to hold the keys with a TTL same as remaining lifetime, then checking each token etc etc but if you do that, well, as you rightly say, you might as well go stateful!
cheezballs@reddit
Just depends on what you stuff into your jwt. An app I'm working on has the requirement that our roles and security are handled at the app level rather than the auth server level so we end up checking the user with every request, but I think that your use case is more common.
grantrules@reddit
Why JWT over sessions if statelessness isn't a requirement? Seems like JWT just adds complexity.
cheezballs@reddit
Sessions? We're not using sessions. APIs are best stateless, hence the checking security with each request.
willcodefordonuts@reddit
That’s pretty much how it should be done.