How to revoke a JWT token | The JWT lifetime, blacklist and not-before policy

  Рет қаралды 7,582

PS After Hours

PS After Hours

Күн бұрын

Support my work / pawelspychalski
One of the popular questions about JWT is how to revoke a JWT token. The thing is, you can't revoke a single token. You can build a blacklist of all the tokens you want to invalidate, but it's not the way! Just keep the lifespan on the JWT token (exp claim) short and disable the user if required.
What are JWT tokens? Modern authentication and authorization for microservices • What is JWT? The JSON ...
0:00 How to revoke a JWT token
0:43 A token blacklist concept
1:03 So, how to secure your app? Keep the lifetime of the JWT short
3:00 Key change and not-before policy
4:12 What have we learned today?
4:50 Outro
#quadmeup #jwt #programming
www.keycloak.org/docs/latest/...
If you want to support me:
✅ Patreon / pawelspychalski
✅ Banggood affiliate bit.ly/2P8oAxr
✅ Paypal paypal.me/pawelspychalski
▶ Discord server quadmeup.com/discord
▶ My website quadmeup.com/

Пікірлер: 19
@PSAfterHours
@PSAfterHours 2 жыл бұрын
What are JWT tokens? Modern authentication and authorization for microservices kzfaq.info/get/bejne/b9RyqJii2bzcfYE.html
@TechnicallyTom
@TechnicallyTom 2 жыл бұрын
I think there is a better way to revoke a JWT token than using a blacklist. If you change the secret stored on the server it makes all the tokens not valid. The way to handle revoking for only one user is to store part of the secret where you normally would store the secret and part on the user record. This prevents leaking the entire secret but allows the user part of the secret to be changed. The user secret can just be a randomly generated string that changes whenever a user changes their password. Another use case would be a token being used for forgotten passwords where you would change the user stored reset secret when the token has been used successfully. It also adds some additional security since every user has a unique secret for their token.
@PSAfterHours
@PSAfterHours 2 жыл бұрын
Yeah, that's what not-before policy is used for. However, it i validates all token. Not only some of them
@TechnicallyTom
@TechnicallyTom 2 жыл бұрын
@@PSAfterHours By storing part of the secret on the uaer though, you can invalidate just one token.
@PSAfterHours
@PSAfterHours 2 жыл бұрын
Hmmm, that's an interesting thought. I will have to investigate this option. Thanks for the hint
@lidavid7809
@lidavid7809 Жыл бұрын
​@@TechnicallyTom Hi there, not sure how is that possible to get the part of user stored secret, if u let client to reset password from unique route. If I understand correctly u make a jwt secret out of user secret and secret in env?
@TechnicallyTom
@TechnicallyTom Жыл бұрын
@@lidavid7809 Yes. Secret is partially stored in env and partially stored on user. If you reset the secret on the user, the token is no longer valid. You need to fetch the user first before authorization.
@sadeghhosseini6381
@sadeghhosseini6381 Жыл бұрын
We can have a version field in each tonken's payload, which is a number. We also store each version for each user to redis. On each request we compare the version in token's payload with the corresponding version in the redis, if not equal it means that the token has been invalidated hence the user is forced to refresh their token, then for invalidating a token we just have to increase the version in redis for a specific user.
@FPVUniversity
@FPVUniversity Жыл бұрын
Well, the thing is this is not how JWT is supposed to work. The whole idea is to have a distributed system when JWT can be issues by a system you trust, not the system you control
@darwinmanalo5436
@darwinmanalo5436 26 күн бұрын
So the solution is to use keycloack? 😅
@bogdan.shahnitsky
@bogdan.shahnitsky 7 ай бұрын
@PSAfterHours, You recommend to keep the lifetime of a Refresh Token under 20 minutes, but doesn't it mean that if user (for example) leaves our website for more than 20 minutes (not even mentioning going to sleep), he will be forced to log in again on the next visit?
@moveonvillain1080
@moveonvillain1080 4 ай бұрын
Help me understand a bit more. Do you want to say that the user will have to "Sign In" every 20mins regardless of if the user is active or not active?
@opticalmouse2
@opticalmouse2 Жыл бұрын
The short version is to just use sessions. What a shitshow with JWT and loging out!
@PSAfterHours
@PSAfterHours Жыл бұрын
No, sessions are not the answer because session does not work with external identity providers. And logout mean usually that user logged out, not was forcefully logged out by admin.
@opticalmouse2
@opticalmouse2 Жыл бұрын
Like I said: What a shitshow with JWT and logging out!
@opticalmouse2
@opticalmouse2 Жыл бұрын
@@PSAfterHours "And logout mean usually that user logged out, not was forcefully logged out by admin." You are right.
JWT best practices for max security
4:50
JWT best practices for max security
PS After Hours
Рет қаралды 7 М.
What Is JWT and Why Should You Use JWT
14:53
What Is JWT and Why Should You Use JWT
Web Dev Simplified
Рет қаралды 1,1 МЛН
ПРЕВРАТИЛИ ВСЁ В ТОРТ! *ТОРТ ИЛИ ФЕЙК ЧЕЛЛЕНДЖ* #Shorts #Глент
00:22
ПРЕВРАТИЛИ ВСЁ В ТОРТ! *ТОРТ ИЛИ ФЕЙК ЧЕЛЛЕНДЖ* #Shorts #Глент
ГЛЕНТ
Рет қаралды 4,6 МЛН
Когда победа БЫЛА уже в КАРМАНЕ, он совершил САМУЮ ГЛУПУЮ ОШИБКУ в своей жизни #shorts
01:00
Когда победа БЫЛА уже в КАРМАНЕ, он совершил САМУЮ ГЛУПУЮ ОШИБКУ в своей жизни #shorts
BalcevMMA_BOXING
Рет қаралды 4,3 МЛН
Make people happy and it will come back to you ❤️↩️
00:26
Make people happy and it will come back to you ❤️↩️
A4
Рет қаралды 50 МЛН
Mom's Unique Approach to Teaching Kids Hygiene #shorts
00:16
Mom's Unique Approach to Teaching Kids Hygiene #shorts
Fabiosa Stories
Рет қаралды 8 МЛН
ASP.NET and JWT Refresh Tokens
30:43
ASP.NET and JWT Refresh Tokens
Coding Tutorials
Рет қаралды 8 М.
OAuth 2.0 - Refresh Token
13:25
OAuth 2.0 - Refresh Token
Sascha Preibisch
Рет қаралды 51 М.
What are Refresh Tokens?! and...How to Use Them Securely
19:29
What are Refresh Tokens?! and...How to Use Them Securely
OktaDev
Рет қаралды 46 М.
What is JWT? JSON Web Tokens Explained (Java Brains)
14:53
What is JWT? JSON Web Tokens Explained (Java Brains)
Java Brains
Рет қаралды 1 МЛН
Why is JWT popular?
5:14
Why is JWT popular?
ByteByteGo
Рет қаралды 293 М.
FIDO Promises a Life Without Passwords
9:58
FIDO Promises a Life Without Passwords
IBM Technology
Рет қаралды 397 М.
The Parts of JWT Security Nobody Talks About | Philippe De Ryck, Google Developer Expert
37:18
The Parts of JWT Security Nobody Talks About | Philippe De Ryck, Google Developer Expert
Israeli Tech Radar
Рет қаралды 36 М.
Difference between cookies, session and tokens
11:53
Difference between cookies, session and tokens
Valentin Despa
Рет қаралды 602 М.
How to Store JWT for Authentication
8:28
How to Store JWT for Authentication
Ben Awad
Рет қаралды 210 М.
Spring Security - Refresh token
26:20
Spring Security - Refresh token
Bouali Ali
Рет қаралды 31 М.
Он придумал гениальную идею, как исправить разбитый экран! 🤯 | Credit : gertieinar (TT)
0:20
Он придумал гениальную идею, как исправить разбитый экран! 🤯 | Credit : gertieinar (TT)
Enderestories
Рет қаралды 8 МЛН
😱Хакер взломал зашифрованный ноутбук.
0:54
😱Хакер взломал зашифрованный ноутбук.
Последний Оплот Безопасности
Рет қаралды 916 М.
PART 52 || DIY Wireless Switch forElectronic Lights - Easy Guide!
1:01
PART 52 || DIY Wireless Switch forElectronic Lights - Easy Guide!
HUBAB__OFFICIAL
Рет қаралды 65 МЛН
OZON РАЗБИЛИ 3 КОМПЬЮТЕРА
0:57
OZON РАЗБИЛИ 3 КОМПЬЮТЕРА
Кинг Комп Shorts
Рет қаралды 1,8 МЛН
АЙФОН 20 С ФУНКЦИЕЙ ВИДЕНИЯ ОГНЯ
0:59
АЙФОН 20 С ФУНКЦИЕЙ ВИДЕНИЯ ОГНЯ
КиноХост
Рет қаралды 1,1 МЛН
Cheapest gaming phone? 🤭 #miniphone #smartphone #iphone #fy
0:19
Cheapest gaming phone? 🤭 #miniphone #smartphone #iphone #fy
Pockify™
Рет қаралды 4 МЛН
Я УКРАЛ ТЕЛЕФОН В МИЛАНЕ
9:18
Я УКРАЛ ТЕЛЕФОН В МИЛАНЕ
Игорь Линк
Рет қаралды 126 М.