JWT and server-side storage

Question

JWT and server-side storage

Each article I read, vouching for the benefits of JWT, claims that one of the benefits is the ability of an auth server to be distributed across multiple servers. those. You do not rely on a central repository of user data to search for each query.

However, when it comes to implementation, I read in many places that for added security you should not just rely on JWT signature verification and that you should maintain a list of black or white list tokens generated by the server.

Does this advantage win above, since this list of tokens needs to be stored centrally, where all servers can access it, and this will require a search for each request?

How did people realize this from their end?

+4

token jwt

trajan Jan 05 '16 at 20:42

source share

1 answer

Darin Dimitrov · Answer 1 · 2016-01-05T20:54:01+0000

You are making very good questions in your question. In fact, it would be advisable to store the OAuth token in a central place in order to simplify the implementation of the withdraw / cancel function. If you simply relied on the signature of the token, you could not have implemented such a function. Suppose a user wants to revoke an access token. In this case, if you did not have a centralized location / data warehouse for those tokens in which you would invalidate it and only rely on the token's signature, then the token would still be valid.

, , OAuth, .

JWT and server-side storage

More articles: