If understood correct you advised to keep revoked tokens in store/memcache/db each time user performs log out. It seems to me that the store/memcache/db that contains revoked tokens will grow every time user logged out. In this case there can be negative performance effects. So the question is how to revoke the token correctly? We can probably save the revoked token and its expiration date to the DB and write a schedule task that will clear all expired tokens from the DB everyday. Could you please provide your thoughts on this?
On the other hand, if I keep revoked tokens I have to check the store/memcache/db with revoked tokens each request just to make sure that user doesn't use revoked token. It gives rise to poor performance.
JWT is meant to be readable, and not encrypted. If you want a claim to be encrypted, just encrypt it before you add it to the dictionary. It can also be used with asymmetric encryption as well, so you dont need shared secrets.
Very informative. Well presented! I learnt a lot. Thank you for this. However, I missed one thing. You mentioned the decentralized model of security assurance at the service level, where each each service validates the JWT and deciphers from it the user identity and the client identity. But what about authorization checks? Where is this information stored? In the token itself?
This video seems Open ID Connect fully maturing, the concept of a refresh token for revocation and a better Log out scenario seem to not even be available to the presenter. Thus the presenter's need for a complex propagation solution and statement that Logout and Revocation are edge cases that can run slower.
One of the better talks on API architecture. Thanks for sharing!
If understood correct you advised to keep revoked tokens in store/memcache/db each time user performs log out. It seems to me that the store/memcache/db that contains revoked tokens will grow every time user logged out. In this case there can be negative performance effects. So the question is how to revoke the token correctly? We can probably save the revoked token and its expiration date to the DB and write a schedule task that will clear all expired tokens from the DB everyday. Could you please provide your thoughts on this?
On the other hand, if I keep revoked tokens I have to check the store/memcache/db with revoked tokens each request just to make sure that user doesn't use revoked token. It gives rise to poor performance.
JWT is meant to be readable, and not encrypted. If you want a claim to be encrypted, just encrypt it before you add it to the dictionary. It can also be used with asymmetric encryption as well, so you dont need shared secrets.
Very informative. Well presented! I learnt a lot. Thank you for this.
However, I missed one thing. You mentioned the decentralized model of security assurance at the service level, where each each service validates the JWT and deciphers from it the user identity and the client identity. But what about authorization checks? Where is this information stored? In the token itself?
Yep. Usually a "scopes" in there with an array of permissions.
This video seems Open ID Connect fully maturing, the concept of a refresh token for revocation and a better Log out scenario seem to not even be available to the presenter. Thus the presenter's need for a complex propagation solution and statement that Logout and Revocation are edge cases that can run slower.
BTW what font is it?
Great video.. I really awesome intro to token-based auth
I counted 1,203,405 uses of the word, 'uuhhhhhhhh'.
+tmanley1985 Well, that uhhh killed it for me. I saw your comment first and then made it 52 uuhhhh seconds before I bailed.
uuhhhhhhhh .... lil bit confusing you wrong or maybe i'm wrong, but I recounted aprox in 1,130,786 uses of that word.
Very basic information and aim audance is not for experience engineer I guess
uuuuhhhhh Good talk. uuuuhhh Thanks.
He talks less on subject and more on Jargons...very bad presentation.
too much uuuuuuuuuhhhhhhh
gufran mirza kkl