Further review & research shows that currently built Authentication Service was trying to be in a stateless manner using JWT, which introduces dangerous security issues.
Issues with JWT Authentication (aka stateless Authentication)
Logout is not logout : where user hits logout but token still usable until expiration, there is no way to revoke the issued token (imagine he has 5 tokens issued for 5 logged in devices)
Stale data: Imagine a user with updated role or scope, this wont take effect right away since current token is still in previous role
Stateful as business requirements: Imagine a business that needs to track user's usage, or limit his access to some resource to 3 times a day, eventually will need a stateful management of session to fulfill this business, hence JWT failed.
Taking Action
With this insights, this Issue is elevated to ask for a refactoring or rebuid this Authenticaion Service to be stateful, so that our application can be top-most secured.
Task breakdown
1. Remodel Service to issue Refresh Token & Access Token when authenticated successfuly
2. Remodel Database Schema to store Refresh Token with "is_revoked" column to track the revocation
3. Preventing re-authentication on same device & facilitate one-session-a-time when login on other devices
4. ..to be continue
As a starting firegun, i will try gradually to finish the tasks.. will update later.
Problem arises
Further review & research shows that currently built Authentication Service was trying to be in a stateless manner using JWT, which introduces dangerous security issues.
Issues with JWT Authentication (aka stateless Authentication)
Taking Action
With this insights, this Issue is elevated to ask for a refactoring or rebuid this Authenticaion Service to be stateful, so that our application can be top-most secured.
Task breakdown