|
|
|
|
|
|
by kilburn
2729 days ago
|
|
|
> Why are you expecting to revoke a token in a scenario where the token is supposed to be used once? An attacker was able to somehow issue a bunch of tokens for himself. Now you want to invalidate them even though they're not used yet. > Either the token is deemed valid and accepted or it's invalidated and rejected, which triggers clients to refresh the token and retry the request. The other point here is that you are probably (not always, not in every possible case, but in most common cases) better off using just a bearer token (refresh it on every use if need be). There's no performance benefit in using stateless tokens when they can be used only once, and handling bearer tokens is much easier from a gun-to-shoot-your-feet-with perspective. |
|
|
I'm not expert in JWT and just jumping in here, but wouldn't that imply total compromise of the PKI if this ever happens?
I'm saying, if this scenario comes to pass, with basically any old authentication system, isn't it now time to roll the master keys and invalidate _every previously issued_ token/session the old-fashioned way, by disavowing the prior signing key, and then bouncing every user/ requiring to re-auth freshly and establish brand new sessions within the totally new PKI?
I assume this is always still possible even with JWT from what I've read so far, but I'm happy to be educated if either of you don't mind sharing.