x3r0x-x3n0n
commented
10 months ago My proposals:
How should the token be generated?
Token generated at First Request! We can use JWT's
What should the token look like?
following RFC7519 the body looks like:
{
// identity
iss: "RustyRaptor", //The only regret that this service could not be written in Rust.
sub: UUid, //Locally unique identifier that persists across sessions ie. UuID, Hash(PubKey)
jti: UUid, //Locally unique identifier that does not persist across sessions ie. Session ID, Hash(PubKey,PRN)
// timing
nbf: 1000000, //Epoch time when this will activate, -1 for now!
exp: 1000000, //Seconds after IAT after which token expires, -1 for never!
iat: //Epoch time when issued.
// Scope
aud: [
//spacing for clarity!
" [ GET , POST , DELETE ] | [ BlahBlah/#SelfID/ ] | [ PredicateFunc1 ] ",
" [ PUT ] | [ BlahBlah/#TransactionID ] | [ PredicateFunc1 , PredicateFunc2 ] ",
]
}
What if we want to change token issued? How do we communicate a token change?
On a consequent session-check we could return the new token in response revoking the old one when we do! But what if the response is never delivered? Well redis can hold the relationship until the new token is seen at least once.
In Redis ie.
Normally
Old_JTI -> "{ Count: 30 }"
On change
Old_JTI -> " { Redirect: New_JTI } "
New_JTI -> " { From: Old_JTI, Count: 0 } "
On 1st use
New_JTI -> " { Count: 1 } "
How do we validate tokens?
The public key signing the token is advertised by the server!
How do we revoke tokens?
We delete the JTI from redis.
Proposed Token Lifecycle:
Creation >> ( Validation >> Mutation )* >> Destruction
@AlphaRomeoMike What do you think?