Skip to content

Latest commit

 

History

History
83 lines (57 loc) · 5.62 KB

auth_architecture_research.md

File metadata and controls

83 lines (57 loc) · 5.62 KB

awesome-authentication

This is compilation of research on authentication using JWT

Fundamentals You Must Know

Cryptography

About Tokens

About Frameworks

Web-Security Recommendations

Secure Key Exchange In Public

Maintaining Forward Secrecy

Invalidating JWT

  • Simply remove the token from the client
  • Create a token blacklist
  • Just keep token expiry times short and rotate them often
  • Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials

A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.

Securtity Risks

Implementations(Examples/Demos)

Useful Tools