Confusion with JWT

up vote
0
down vote

favorite

I'm creating an API for a mobile application that will display medical data.

I want to use a JWT token with a refresh token. But I'm really confused with JWT.

As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).

A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).

If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.

Should I use a simple token for my authentication?

asked 19 hours ago

cappie013

1,1171019

Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
– Dez
19 hours ago

@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
– cappie013
18 hours ago

Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
18 hours ago

add a comment |

up vote
0
down vote

favorite

I'm creating an API for a mobile application that will display medical data.

I want to use a JWT token with a refresh token. But I'm really confused with JWT.

As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).

A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).

If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.

Should I use a simple token for my authentication?

asked 19 hours ago

cappie013

1,1171019

Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
– Dez
19 hours ago

@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
– cappie013
18 hours ago

Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
18 hours ago

add a comment |

up vote
0
down vote

favorite

I'm creating an API for a mobile application that will display medical data.

I want to use a JWT token with a refresh token. But I'm really confused with JWT.

As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).

A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).

If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.

Should I use a simple token for my authentication?

asked 19 hours ago

cappie013

1,1171019

I'm creating an API for a mobile application that will display medical data.

I want to use a JWT token with a refresh token. But I'm really confused with JWT.

As JWT is stateless, once the token is issued, you have no way to invalidate it (you can save the token in your DB and invalidate it, but I think it removes the interest of using such a token).

A refresh token is like the login + password (as you can get a JWT token with it) of a person, and I don't really understand the value either (except allowing the user to ALWAYS stay connected).

If someone can get a refresh token, this person can get as many JWT token as he wants, and do a lot of request on behalf of the user it belongs.

Should I use a simple token for my authentication?

jwt

asked 19 hours ago

cappie013

1,1171019

asked 19 hours ago

cappie013

1,1171019

asked 19 hours ago

cappie013

1,1171019

asked 19 hours ago

cappie013

1,1171019

asked 19 hours ago

cappie013

1,1171019

Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
– Dez
19 hours ago

@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
– cappie013
18 hours ago

Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
18 hours ago

add a comment |

Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
– Dez
19 hours ago

@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
– cappie013
18 hours ago

Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
18 hours ago

Are you using any concrete library? Anyway, you can invalidate a token issued by checking the time where it was issued and write a business rule to check to not accept tokens of currentTime - tokenIssuedTIme > TTL (being TTL the time you want to allow a token to be used).
– Dez
19 hours ago

@Dez I'm using a Ruby lib. You don't even need to do that, you can just set a exp attributes to the token
– cappie013
18 hours ago

Ah, now I understand what you meant. The value of the refresh token is quite clear for me. How would you feel as an user to have to enter your login and password each time you perform an action? Refresh token is the system that avoids that while maintaining a layer of security by expiring the JWT token with short access times. So you use refresh token to avoid asking the user to authenticate. About someone getting the refresh token, you have to manage to blacklist them and also you should have another layer of security by requesting an authorization in the request using the refresh token.
– Dez
18 hours ago

add a comment |

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53237449%2fconfusion-with-jwt%23new-answer', 'question_page');
}
);

Post as a guest

Name

active

oldest

votes

draft saved

draft discarded

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Name

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Nrthugu