undefined | Better HN

0 pointsfontain2d ago0 comments

How often do we need to revoke individual JWTs anyway? You solve for cookie theft with short expiry and key compromise by rotating keys. I don’t find the revocation issue very compelling as a reason to ditch JWTs.

0 comments

CodeLieutenant2d ago

You have never used "Log me out from everywhere" feature. I've used it. Also it's for I want to change my password and invalidate all sessions.

dullcrisp1d ago

Is revocation really such a hard problem? Seems you could store a set of revoked tokens in memory and have a background task update it every couple of seconds. I guess it’s a separate set of infrastructure to maintain but I don’t see why it’s always presented as the thing that undermines an entire authentication scheme.

I guess if you need your tokens revoked this millisecond it’ll require an extra synchronous call on every request but that seems like a unlikely requirement. And not that any of this matter for your 10 user app anyway I guess.

fontainOP1d ago

I don’t recall ever in my life using that feature on the small number of services that offer it.

CodeLieutenant1d ago

You have, and so unknowingly. If you change password, this one triggers, you have to login everywhere. e.g Instagram, Facebook, Github etc.

j / k navigate · click thread line to collapse