Hello! I’m kinda new to implement JWT mechanism to system and what I have done so far is access token and refresh token. But how can I implement revoke mechanism for log out for example? Currently I have refresh token rotation mechanism - if access token has been refreshed then refresh token should be refreshed too. But as far as I know this is + 1 db query (I store my refresh tokens in mysql). Is it a good idea to have such mechanism or better just make refresh token long-lived and revoke it if it got compromised or user wants to log out? I so, is there a best way to implement revoke mechanism?
Refresh token rotation is Auth0’s solution to the inherently lack of security in Single Page Applications.
To revoke a refresh token, see this Management API endpoint:
https://auth0.com/docs/api/management/v2#!/Device_Credentials/delete_device_credentials_by_id
I would caution against storing refresh tokens in a place where anyone but the user they belong to can access them. If you have any SQL injection vulnerabilities, a compromise to your database, or an employee that maliciously or carelessly leaks the contents of that table, your identity-based perimeter can be compromised.
I have refresh tokens set to have an inactivity window that is as long as our application’s session window.
Thanks for reply. Can youpleae explain why refresh token rotation has lack of security? Also I’m not using Auth0 but implement jwt mechanism by myself. Therefore I need to implement revoke mechanism by myself too
Refresh token rotation is not what is insecure.
Single Page Applications are insecure because the entire source code is on the browser, so you must assume that the user knows about all sensitive values involved in the process (meaning you can’t use secrets to get tokens).
I see, thanks. Are you familiar with revoke refresh token implementation? Or are you just using Auth0 product? Also refresh token rotation is implemented on server side not on the browser