0
votes

I use jwt tokens in my project. Long-lived refresh tokens to authenticate and short-lived access tokens for protected resources. The refresh token is saved in a http-only cookie to reduce the risk of xss attacks. The access tokens will be only stored in my vuex store of my frontend. Should I renew my refresh token if the user changes the password? I don't store refresh tokens in my database, because as I understood the the main purpose of jwts is that I can use cryptography to verify my incoming refresh token and do not have to look it up in my database (then I don't have to use jwts at all).

But how do I invalide an already sent refresh token e.g. on an other device or browser? If I don't use a database to store refresh tokens the token would be valid as long as the expiration time is. I appreciate any advice.

1
You can only store blacklisted refresh tokens in a database like Redis, so you can look up those tokens that shouldn't be renewed and invalidate them whenever their access tokens expires and they ask to renew. Ideally, you should issue a fresh pair of access and refresh tokens each time you renew an expired access token. Just make sure you set a short expiry time for your access tokens. Anywhere between 2 to 15 mins would suffice as per your use case.Tom Bombadil

1 Answers

1
votes

Since you don't store tokens in the database you can't invalidate them remotely. But there are some common practices to overcome this issue.

NOTE: These are not standards, Just a practice used by major companies.

1. Store tokens in Cache Database (Not in the main DB)

Storing JWT tokens in the cache database such as Redis or Memcached will allow you to retrieve and verify the token much faster. To invalidate the token you just need to remove it from the cache.

2. Use short-lived access and refresh token

This is mentioned in a lot of Security Submits. Expert says to set a very short life (in minutes) to both access and refresh tokens. Also, exchange the refresh token every time you get a new access token. This renewing process can be happing in the background (maybe using workers). So you don't need to invalidate tokens, It will be invalidated automatically after a few mins.

Recommend you to watch this: https://www.youtube.com/watch?v=rCkDE2me_qk