Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Because in a highly distributed system hitting a database to validate authorization is expensive and causes bottlenecks.

Don't you have to do something similar to invalidate tokens anyway?



> Don't you have to do something similar to invalidate tokens anyway?

Not exactly..

1. Invalidation lists can be held in memory easier than an entire token database. And if the invalidation list is huge you can distribute a bloom filter across your nodes and use that to check before hitting the database.

2. As another poster pointed out. Bearer JWT tokens are meant to be short lived. If your implementation is ontop of OAuth use a longer lived refresh token to get a new bearer token every so often (say half an hour). So if you are OK with your invalidated tokens being OK for "up to" the expiry (so up to half an hour in this example) you only need to do strong validation on the refresh tokens.


you can use refresh-token to get 'access token' at https://site.com/access-token, and then use access token for API access.

Then, having the 'just-the-right-amount-of-short-expiration-time' for access token helps... maybe? :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: