JWT authentication with redis?

Justin · June 19, 2020, 1:17am

Hi,

The default Auth demo you supply is vulnerable, because it show an example to store authorization state on the client (as JWT). In these cases there must be some kind of revocation mechanism.

Does TMS have such a revocation mechanism build in? For example support for redis? (Or is there any change that TMS will include such a revocation mechanism in Sparkle in the future?)

You can read more about these vulnerabilities on: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ and https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/

Thanks in advance.

wlandgraf · June 19, 2020, 1:17am

Security is always a trade-off. Those articles are from 2015 and 2016 and provide valid points which you can raise for any authentication mechanism.

JWT can't be revoken themselves, unless of course you add session management to your server. You can do that, it's up to you. You will lose one of the benefit of JWT, which is stateless, since you will need to check for the validity of the token using data "outside" the token. On the other hand you will be able to revoke the token. Always a trade-off.