I'm new using JWT and flask-jwt. I implemented flast-jwt in my project. The access token received from flask-jwt is not expired even after I changed the user password. Then how can prevent usage of old flask-jwt token.
Asked
Active
Viewed 1,244 times
3
-
solved this problem by keeping all generated tokens in our db. – Savad KP Dec 09 '15 at 06:26
3 Answers
4
We can build an additional security layer by storing all token in our DB. When validating token we can check this token is generated by our server itself or not by using this database table. Also we can revoke the token when user reset his password, by just deleting that token from DB.
Savad KP
- 1,625
- 3
- 28
- 40
3
This is a con of using stateless JWT tokens - you cannot explicitly revoke them.
The corresponding pro is that you do not have to contact external service in order to verify them.
Vilmantas Baranauskas
- 6,596
- 3
- 38
- 50
-
We cannot explicitly revoke flask-jwt token. Its Ok. Then how can I prevent this. I didn't understand second line. – Savad KP Dec 01 '15 at 07:34
-
When your resource server is contacted, it may verify validity of the token itself without contacting another server for verification. In case of non-JWT access tokens, which are normally just a random string, you have to call the issuing server in order to verify it. This is relatively costly. – Vilmantas Baranauskas Dec 01 '15 at 08:19
3
It is important to keep in mind that (stateless) JWT tokens are invalidated ONLY when they expire or when the shared secret used for signing them changes.
So basically, the choices are:
- Use a database, as @savad-kp suggested, to keep a list of blacklisted/revoked tokens: This implies that you'll have to query it everytime you verify a token, which kind of undermines one the main benefits of using JWT tokens.
- Rely on short-lived access tokens: which implies that clients will need to reauthenticate frequently, which may be a no-go option specially for mobile devices and web apps.
- Use the token freshness pattern or some other custom variant:
[...] you can choose to mark some access tokens as fresh and others as non-fresh, and use the fresh_jwt_required decorator to only allow fresh tokens to access some endpoints.
This is useful for allowing fresh tokens to do some critical things (maybe change a password, or complete an online purchase), but to deny those features to non-fresh tokens (until they re-authenticate and get a new fresh token). Fresh tokens can lead to a more secure site, without creating a bad users experience by making users re-authenticate all the time.
I would also suggest using the flask-jwt-extended plugin instead of the flask-jwt one. It supports some common patterns out of the box (refresh tokens, token freshness) as well as blacklists and token revoking with a db.
el.atomo
- 5,200
- 3
- 30
- 28