[yebyen]

> An attacker was able to somehow issue a bunch of tokens for himself

I'm not expert in JWT and just jumping in here, but wouldn't that imply total compromise of the PKI if this ever happens?

I'm saying, if this scenario comes to pass, with basically any old authentication system, isn't it now time to roll the master keys and invalidate _every previously issued_ token/session the old-fashioned way, by disavowing the prior signing key, and then bouncing every user/ requiring to re-auth freshly and establish brand new sessions within the totally new PKI?

I assume this is always still possible even with JWT from what I've read so far, but I'm happy to be educated if either of you don't mind sharing.

[kilburn]

> I'm not expert in JWT and just jumping in here, but wouldn't that imply total compromise of the PKI if this ever happens?

Not necessarily. Let's say I steal your password and use it against the auth endpoint to get 10 one-time tokens for your account. Re-rolling the master key is a solution, but a very radical one if I can just invalidate all your tokens don't you think? ;)

[geezerjay]

> Not necessarily. Let's say I steal your password and use it against the auth endpoint to get 10 one-time tokens for your account.

The tokens are valid, thus there is no objective reason to reject them other than there was an unrelated security failure elsewhere in the system.

Additionally, tokens are generated per request and are short-lived, with an expiration timestamp that is just enough to send a request to the server.

When the token is passed to the server, the nonce is added to the server's scratchpad memory to revoke the token and thus avoid replay attacks. If anyone for some reason wants to revoke a token, they only need to add the token's nonce to the revoked list. If the nonce is present in the list then the server rejects the token and triggers a token refresh.