Using JWT for authentication is an anti-pattern
status
Published
date
Oct 27, 2022
featured_image
slug
invalidating-jwts
tags
Design
summary
We use JWTs everywhere: for authenticating and verifying. But since the stateless mechanism of JWT makes it unsafe for multiple times authentication, and making it stateful doesn’t make sense.
type
Post
JWT tokens cannot be invalidated without holding a state for created tokens since JWT works stateless unlike user sessions. Invalidating is not possible without holding any state. This is the one of the main problem of invalidating JWTs. The matter is finding a way to invalidate by using the most effective way without causing any slowness when intercepting the ongoing requests that go to non-public endpoints of the application.
The ways to invalidate tokens
Well, there are a few ways to invalidate:
- Black listed tokens
- White listed tokens
- Signing tokens with a nonce value or password on user record
- Setting expiry time short, which doesn’t solve the problem at all
All of these, except the last one, are totally useless since they require a database lookup, which consumes more system resources. It’s better to keep going with a solution that do not require lookup. Performance and scalability is the most important issue when invalidating tokens since tokens must be controlled each subsequent requests once it’s been created. The last one is not useful at all, because setting expiry time short will cause that users have to login once the token is expired.
Alternative Approaches
Given the limitations of JWTs for user authentication, it’s important to explore alternative approaches that can provide the necessary security and flexibility. Here are a few options:
- Session-Based Authentication:
- How it works: The server creates a session for the user and stores session data on the server side. A session ID is then sent to the client via a cookie.
- Advantages: This method inherently supports session invalidation, as the server can delete or invalidate the session data at any time. It also allows for more fine-grained control over user sessions.
- Disadvantages: It requires maintaining a session store, which can lead to scalability challenges in distributed systems. However, modern solutions like distributed caches (e.g., Redis) can mitigate these issues.
- OAuth with Access and Refresh Tokens:
- How it works: OAuth can be used to issue short-lived access tokens and longer-lived refresh tokens. When the access token expires, the client uses the refresh token to obtain a new access token.
- Advantages: This method allows for short-lived tokens, reducing the window of opportunity for token misuse. The refresh token can be invalidated, providing a mechanism for token revocation.
- Disadvantages: It adds complexity to the implementation and requires secure storage of refresh tokens.
- Hybrid Approaches:
- How it works: Combining JWTs with session management or other stateful mechanisms can offer a middle ground. For example, using JWTs for initial authentication and then transitioning to a session-based system.
- Advantages: It can leverage the benefits of both JWTs and session-based methods, providing flexibility and security.
- Disadvantages: It may increase the complexity of the authentication system and require careful planning to avoid security pitfalls.
Conclusion
While JWTs have their place in certain authentication scenarios, their use for ongoing user sessions is fraught with challenges. By understanding the limitations and exploring alternative solutions, developers can build more secure and scalable authentication systems that better meet the needs of their applications. It's crucial to evaluate the specific requirements and constraints of your application to choose the most appropriate authentication method.