node.js - JWT (JSON Web Token) automatic prolongation of expiration -

-

I want to implement JWT-based authentication for our new Release API. But since the end date is set in the token, can it be automatically prolonged? I do not want users to sign in after every x minute, if they were actively using the application during that period. This will be a huge UX failure.

But for a long time to finish, a new token (and the old one is still valid until it does not end) makes And after every request I feel silly to create a new token seems like a security problem when more than one token is valid at the same time. Of course I can invalidate the old used one using a blacklist but I have to store the tokens. And there is no one of the benefits of JWT.

I found out how Auth0 solved it not only using the JWT token but also a fresh token:

But again, to implement it (Auth0 Without me) I will need to store refresh tokens and retain their expiry So what is the real benefit? Why not not just a token (JWT) and end up on the server?

What are the other options? Is not it suitable for this scenario using JWT?

I work on Auth0 and I was involved in the design of this latest token feature.

This all depends on the type of application and it is our recommended approach.

Web application

A good pattern is to refresh before it ends token.

Set the token end to one week and every time the user opens the web application and every one hour, refresh the token. If the user does not open the application for more than a week, then they will have to login again and this acceptable web application will be UX.

To refresh the token, your API needs a new end point, which does not end in a valid, JWT nor the JWT with the new completion field. Then the web application will store tokens somewhere.

Mobile / Basic Applications

Most native applications enter once and only once

The idea is that the fresh token never ends and it can always be exchanged for a valid JWT.

The problem of a token that never ends is that never does not mean if you lose your phone then what do you do? Therefore, it needs to be recognized by the user in any way and the application needs to provide a way to recover access. We have decided to use the name of the device, e.g. "IPad of Mario" can then go to user application and cancel access to "Mario's iPad".

Another way to cancel the fresh token on specific events is an interesting event changing password.

We believe that JWT is not useful for these matters of use, so we use a randomly generated string and we store it on our behalf.


Comments

Post a Comment

Popular posts from this blog

apache - 504 Gateway Time-out The server didn't respond in time. How to fix it? -

-
Using a form submission on an embedded iframe , the customer downloads a compressed log file Requested. The request was sent to the server, which is the compressed log files, perform some database operations and returns a compressed file. After just 2 minutes, 504 gateway time-out server did not respond timely message on browser net panel How to fix this error? The log files were taking a long time to compress, and timeout was set to 2min The error was fixed by extending the file file: # # timeout: The number of seconds before getting the time out. # # # Timeout 120 timeout 600
Read more

c# - .net WebSocket: CloseOutputAsync vs CloseAsync -

-
We have a working ASP.NET Web API REST service, which is one of the methods of our controller, HTTPTTEX. .) Socket handler code looks something like this ... Public async task socket handler (AspNetWebSocketContext context) {_webSocket = context.WebSocket; ... while (! Cts.IsCancellationRequested) {WebSocketReceiveResult Results = _webSocket.ReceiveAsync (Input Segment, cts.Token) .Result; WebSocketsStateCollusocketState = _webSocket.State; If (result.MessageType == WebSocketMessageType.Close || currentSocketState == WebSocketState.CloseReceived) {// What should I use. CloseAysnc () or. CloseOutputAsync ()? _webSocket.CloseOutputAsync (WebSocketCloseStatus.NormalClosure, "Client Requested", cts.Token). Wait (); } If (currentSocketState == WebSocketState.Open) {...}}} .What is the difference between .CooseAsync () and CloseOutputAysnc ()? I tried both of them and they both seemed to work fine but some difference should be the same they both describe very similar to...
Read more

c++ - How to properly scale qgroupbox title with stylesheet for high resolution display? -

-
I am trying to apply a stylesheet for QGroupBox (QT4.8), which works on the normal screen ( 96 dpi) high resolution screen (Yoga 2 Pro, 3200x1800, 275 dpi, windows 8.1). The following style looks good on the 275 dpi screen, but the top margins on a regular 96 dpi screen are far too big. QGroupBox {border: 1px solid red; Range radius: 7px; Margin-top: 12x; } QGroupBox :: Title {subcontrol-origin: margin; Subcontrol-position: left above; Padding-left: 10px; Padding-right: 10px; } Changing the top-margin has an effect, but I did not get a proper setting which works on both screens. If I shorten the value, the content of the group box overlaps with the title on 275 dpi screen. I was also playing with units "East", "PX", "MX", "PT". Reading the document I would have guessed, "2 X" was the correct solution, which should be scaled with different screen resolutions. Without the stylesheet, the groupbox works well on both screens. ...
Read more