1

I want to invalidate refresh jwt token without maintaining a blacklist of used refresh tokens with rotations, for this I had the idea of including a ValidationCode in the payload of the RT that the server generates and store whenever 2 refresh tokens are detected being in use with different rotation number (As an example RT2 that the normal user got from his last request and RT3 that the malicious user generated after sending a malicious request using the old RT2).

Once the server finds that a RT2 is in use while the latest one is RT3. The server should "Invalidate" the previous tokens, and issue a new RT when the user reconnects using his password etc. The process of invalidating token is simply changing the ValidationCode in the newly generated token, and accepts any request in which the token is valid + the validation code in the payload matches the one stored in the server for that user.

If Using this approach, if the malicious user try to use RT3 again, even if the jwt token is valid, the ValidationCode now changed and it will not match the one in the server however the newly generated tokens will.

Is this approach secure and good enough to replace blacklisting old tokens? which I think defies the purpose of using jwt at first + wasting time and memory storing the list and querying in the database

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
dbzadnen khiari
  • 35
  • 1
  • 4
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Jan 29 '22 at 10:08

1 Answers1

1

What you're describing here is a solution where you can just keep the latest RT used by the user in the database and allow only refresh requests with the RT saved in the DB. This is a valid approach but it has one drawback: you can have only one active pair of AT/RT for the user. If that is OK for you then you can go with this solution.

wasting time and memory storing the list and querying in the database

Either way you will have to query the database, so that doesn't change much. What you gain is a bit of storage space.

Michal Trojanowski
  • 10,641
  • 2
  • 22
  • 41
  • I understand thanks , but what i do not get is "have only one active pair of AT/RT for the user" , if i include additional information in the payload like device name as an example i can produce many AT/RT for the same user if he needs to log in from many places , and if an old AT/RT is used independtly of that device name, all the tokens will be revoked by changing that ValidationCode is not that feasible? – dbzadnen khiari Jan 21 '22 at 11:06
  • Yes. If you use the validation code you described, you probably will be able to issue multiple ATs for the same user. If you would save the RT instead of the validation code, then it will not be possible. – Michal Trojanowski Jan 21 '22 at 14:28