Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
Hector762022-02-02 07:19:14
JSON Web Token
Hector76, 2022-02-02 07:19:14

JWT, is it possible to do without Refresh Token in this way?

I’m making a website, dealing with JWT and Refresh Token, at first I did everything according to Feng Shui, but then I realized that the Refresh token rotation system is constantly buggy, they still need to be tracked, they load the site’s API and database, and so on. And in general, I decided to remove them completely, it took 3 minutes. And voila, I only have JWT. Everything works great, set JWT expiration to 10 years.
Of course, this will only work without problems until someone steals the JWT token or changes their password.
I don't see the point in fighting the first one. Anything can be screwed up.
And here is the second problem.
After all, if a person changes the password, then all past JWT tokens (which contain only the user ID and his role) will still work for 10 years.
But what if you include another password hash in the JWT token?
And to carry out JWT validation, for example, 1 out of 100 times, comparing this hash in the JWT with the hash in the database?
Of course, you can compare every time, but this will be a big load on the database, and in principle we won’t win anything.
I think it's a good idea, what could go wrong here?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
Dr. Bacon, 2022-02-02
@bacon

but then I realized that the Refresh token rotation system is constantly buggy, they still need to be tracked, they load the site API and database, and so on.
all this is buggy and loads only in your implementation, for example, I don’t have such problems
But what if you include another password hash in the JWT token? And to carry out JWT validation, for example, 1 out of 100 times, comparing this hash in the JWT with the hash in the database?
and now you have begun to invent your crutches, instead of doing it as recommended and time-tested, you don’t need to do it.

Report
J
Jock Tanner, 2022-03-03
@Tanner

The main essence of JWT is to do without any database calls during authentication and authorization. Judging by

they load the site API and database

and
include another password hash in the JWT token

this is not your case, you are still accessing the database (or will be accessing to compare the hash).
In this case, use simple tokens. Just a string of random characters, no load. They do not need to be decrypted by loading the CPU. They can be used forever, in case of compromise, revoke and create a new one manually (of course, you will have to register buttons for this in the user's personal account). A rotten simple token will not burn the email or authorization attributes, and will not allow forging tokens, unlike a JWT without a refresh.

Similar questions
D
di2018-12-05 13:14:16
Does refresh_token need to be JWT if access_token is JWT? 1Reply
Y
yuki2022-02-11 20:45:38
AnonymousUser on every request (simplejwt)? 1Reply
U
unfapable2016-09-24 11:54:21
How does CORS and JWT work in Laravel? 1Reply
S
Sland Show2019-02-26 16:58:17
How to properly configure SwaggerUI for JWT token? 0Reply
S
Shurik2022-04-16 21:24:00
How to validate a JWT token using public.key? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question