|
|
|
|
|
|
by kevincox
1079 days ago
|
|
|
You can do something like the True time trick. Services refresh the revocation list every 1s. If they can't refresh for more than 10s they reject authorization. Then on revocation you just need to wait for 15s or so to ensure that the token will no longer be accepted. This of course means that your downtime tolerance for the token distribution is quite low, but still better than checking revocation on each request. You can also flip it and track the state of every app server, revocation waits until they have all updated (or been confirmed dead) but now revocation time is unbounded. (And you are tracking more mutable state) |
|
|