janbaykara
commented
6 months ago The first challenge I'm facing is how to add a jti field to the payload, when I can't figure out how to extend the TokenPayloadType strawberry type.
Open janbaykara opened 6 months ago
janbaykara
commented
6 months ago The first challenge I'm facing is how to add a jti field to the payload, when I can't figure out how to extend the TokenPayloadType strawberry type.
nrbnlulu
commented
6 months ago Hey.
Do you want to blacklist fresh tokens or refresh tokens? if the latter what's stopping you from just revoking it?
What's jti?
janbaykara
commented
5 months ago I want to revoke the tokens themselves. I've implemented this by storing a plaintext reference to the JWT signature along with a revocation boolean field. I load this blacklist into the cache and check all authenticated requests against it. PR here: https://github.com/commonknowledge/meep-intelligence-hub/pull/46
Re JTIs, a quote trom the article above:
To revoke a JWT we need to be able to tell one token apart from another one. The JWT spec proposes the jti (JWT ID) as a means to identify a token. From the specification: > The jti (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well.
nrbnlulu
commented
5 months ago Ok so AFAIR you want that the api clients would not be required to use a refresh token something like github tokens so you want to make the fresh tokens revokeable in order for them to be usefull for long periods, correct?
If that so, why not just to authenticate yourself via a refresh token? You can setup a public authorization field that would accept refresh tokena instead of short tokens.
janbaykara
commented
5 months ago Oh, that's a nice idea! I'm not immediately sure what that would precisely look like but may take a look at this and report back here.
For now, I'll post this PR here for how I hacked a first version of blacklisted tokens: https://github.com/commonknowledge/meep-intelligence-hub/pull/46/files
nrbnlulu
commented
5 months ago For now, I'll post this PR here for how I hacked a first version of blacklisted tokens: commonknowledge/meep-intelligence-hub#46 (files)
Thanks for sharing, on my TODO :smile:
We might as well rename refresh tokens to long running tokens and have support for it here
We're setting up a simple public API ontop of our private API, and we want to use the same Strawberry setup.
As part of this, we'd like to extend the use of JWT tokens for use as long-lasting API tokens that can be revoked.
Some research led to the strategy of revocation via blacklisting tokens, and it'd be fantastic if this was built in to the library.