JWT refresh and access tokens: A dynamic duo for secure authentication

In my project, I utilize jwt tokens with a strategic approach. Long-lived refresh tokens are employed for authentication purposes, while short-lived access tokens are used to safeguard protected resources. To enhance security against xss attacks, the refresh token is securely stored in a http-only cookie. As for the access tokens, they are exclusively retained within the vuex store of the frontend. A question arises - should the refresh token be renewed when a user changes their password? Unlike traditional methods, I choose not to store refresh tokens in my database, leveraging the cryptographic capabilities of jwts for verification purposes without requiring a lookup operation.

However, an issue presents itself - how can an already dispatched refresh token be invalidated, such as on a different device or browser? Without a designated storage mechanism for refresh tokens, their validity persists until the expiration time lapses. Seeking insights and advice on this matter. Appreciation in advance.

Answer №1

Without storing tokens in the database, remote invalidation becomes a challenge. However, there are common strategies to address this issue.

PLEASE NOTE: These practices are not standardized but are commonly used by major companies.

1. Utilize Cache Database for Token Storage (Avoid main DB)

Storing JWT tokens in a cache database like Redis or Memcached enables faster retrieval and verification of tokens. To invalidate a token, simply remove it from the cache.

2. Implement Short-lived Access and Refresh Tokens

This method is endorsed at many security conferences. Experts recommend setting a brief lifespan (in minutes) for both access and refresh tokens. Additionally, refresh the token each time you acquire a new access token. This renewal process can occur seamlessly in the background (potentially through workers). Consequently, manual invalidation of tokens becomes unnecessary as they expire automatically after a short period.

Recommend watching this video: https://www.youtube.com/watch?v=rCkDE2me_qk

Answer №2

To ensure secure authentication, store refresh tokens with necessary details in a designated database for your Auth service. Include expiration dates and restrictions based on IPs, regions, and browsers. This database should only be accessed when managing authentication processes such as login, logout, and refreshing access tokens.
Using a database to store JWTs can create a potential weak point in the security of your microservices architecture. Instead, consider using session IDs and associated data for a more straightforward approach.
Assign a unique ID to each JWT token (which is already included by default) and connect this ID to a refresh token.
When revoking a refresh token, trigger an event across all services notifying them that any JWTs linked to the revoked token's JwtId are now invalid. This action effectively invalidates all JWTs generated by that specific token within all services. Additionally, you can invalidate JWTs based on various contextual factors such as user IDs to revoke all tokens created prior to a certain date.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

The backend post request is returning only "undefined" in JavaScript

Hey there, I'm still learning JS so please bear with me. I've been working on incrementing a value in a JSON file within my JS backend app. However, whenever I try to increase the associated value by the key, it ends up creating a new section la ...

javascript node.js express backend undefined

Retrieving data from AJAX requests

I have an AJAX code that sends data to the server and returns results including id, name, and quantity. How can I extract and print only the quantity, id, or name? Thank you for your help! <script type="text/javascript"> $("#bto_update_quan ...

javascript

Develop a precompiled library for Angular applications that utilizes Ahead-of-Time (AOT) compilation technology

My Angular 5 library is packaged for consumption by other apps in their node_modules. Currently, the app is compiled Just-in-Time(JIT) using rollup and gulp. I export it as a package, and developers use it in its JIT compiled form. After researching AOT ...

javascript angular angular5 angular2-aot aot

The drag and drop feature seems to be malfunctioning in the Selenium Webdriver when using the Node.js (JavaScript) test automation framework

I am currently utilizing the selenium webdriver along with a customized automation framework built in nodejs. My goal is to implement drag and drop functionality for a slider using the actions class, but unfortunately I am encountering issues. Below you ca ...

javascript node.js selenium automation action

Modify the input placeholder text in Stripe's "postalCode" field to display as "ZIP/Postal" instead of the default options "ZIP" or "Postal Code" by manually making the necessary adjustments

For my nuxt.js app, I am using "@stripe/stripe-js": "^1.9.0" and need to update the placeholder text in this input field: <input class="InputElement is-empty Input Input--empty" autocomplete="postal-code" autocorrect="off" ...

vue.js stripe-payments nuxt.js placeholder stripe-payments-js

NodeJS sqs-consumer continuously triggers the function to execute

I have been utilizing the npm package called sqs-consumer to monitor messages in a queue. Upon receiving a new message, I aim to generate a subfolder within an S3 bucket. However, I am encountering a problem where even after the message is processed and re ...

javascript node.js amazon-sqs

Error in GraphQL query: specified argument is mandatory, yet not supplied

I recently started learning about graphql and encountered an issue with my query. Here is the code I am using: { product { id } } "message": "Field "product" argument "id" of type "String!" is requir ...

javascript typescript graphql backend

Encountering a glitch while iterating through function results in failure after the initial modification

I am facing some errors with the script provided below: var sections = ["#general_info", "#address_records", "#employment_history", "#driver_experience", "#military_experience", "#eeo_survey", &qu ...

javascript jquery html forms validation

Error encountered with Angular version 4: Unexpected token export

Upon starting the app with the command ng serve, I encountered an error in the console: VM1018:2297 Uncaught SyntaxError: Unexpected token export at eval (<anonymous>) at webpackJsonp.../../../../script-loader/addScript.js.mod ...

javascript jquery node.js angular npm

The replacement of className in inline SVG is not permitted (Error: 'Cannot read property 'className.replace' of undefined')

I've hit a roadblock trying to manipulate classes within an SVG document to modify the rect elements. The code works smoothly on divs in an external document, but I've tried several other solutions as well – all listed below. I'm still rel ...

javascript html css svg

Locate the present position of the slider element

I am currently in the process of creating a website that features pages displayed in a slider format. Each page has its own unique ID, but all share a common class called 'section'. However, I am encountering difficulty in identifying the ID of t ...

javascript jquery html slider

What is the best way to send a promise back from my service to my controller?

While I have posed this question in various forms, I now find myself stuck with a piece of code that contains an elusive bug. My Angular service looks like this: .service("lookupDataService", [ '$q', '$http', '$timeout&ap ...

javascript angularjs angular-promise

Problem encountered with imaskJS in handling the formatting of data with forward slashes

After conducting tests on the frontend of the imask website at , it has been verified that utilizing a forward slash for date formatting results in the exclusion of the final digit of the date. Various attempts were made, including: IMask( field, ...

javascript npm imaskjs

Looking to bookmark Java links or a similar task?

Apologies for the lackluster title, as I am not well-versed in programming language and struggle to articulate my specific request... Allow me to explain: I frequently need to visit a particular website to conduct research (details below). I attempted usi ...

javascript php html css

Learning the process of accessing a JSON file from a different directory

I am faced with a straightforward folder structure, it looks like this: project │ └───data │ file.json │ └───js test.js My goal is to access the content of file.json within the test.js file in order to perform some ...

javascript json

Having trouble transferring data to an object in VueJS

Is there a way to properly capture the uploaded file in FilePond, as the base64 data of the file is not being transferred to my object? Any suggestions on how to resolve this issue? Within the template: <FilePond v-on:addfile="catch" /> Inside ...

vue.js

Tips for retrieving the count from HTML using JavaScript:

I need to determine the count of list items in an unordered list within dir-pagination-controls. How can I achieve this using JavaScript? <dir-pagination-controls min-size="1" direction-links="true" boundary-links="true" class="pull-right ng-isolate- ...

javascript jquery html angularjs

JavaScripter Q&A