because most devs are newbies

underrated? lol

he has almost 1million followers which is crazy high for a software channel... how is it underrated

this channel is not underrated. I followed this channel when the total sub is just around 50k. It had reached 1m subs in only 1 year after.

That's really well pointed out.

RBAC is there to compensate for that or simply use full oAuth impmementation instead of JWTs. The videos are pretty basic and do not talk about real-world problems.

A lot of OAuth implementations use JWTs.

@kewqie oAuth token doesn't have to be JWT, spec doesn't enforce it, just libraries do that. It can be any unique string as long as it is identifiable by auth layer and gives back response based on token and passed scope. Logic resides in impmementation details. This is why learning core concepts are essential.

you can compress you claims with a lib and/or algorithm, can use symetric key instead of RSA

Have you tried to measure?

On one of projects I worked on, we had stateful sessions in Postgres. The web service could handle 2k reqs/s. That’s pretty darn a lot. So yeah, you can scale very very far with sessions.

@@OverG88 Spot on. It's even better with a Redis cluster (if you want to scale up Redis eventually) which is not a distributed db, but good enough for this. We don't have "consistent" requests and metrics but it can handle 30-40k (in occasional peaks) like there is no tomorrow.

The authentication JWT itself is stateless, you are not forced to use refresh tokens.

@@kewqie True but if your requirements include a level of security you probably want very short lived JWT tokens... or go back to good ol fashion sessions.

@@furycorp You might not need refresh tokens in that case either and just force the user to login again.

refresh/access tokens can be stateless if you don't need to revoke them(forcing logout or block user in shorter time than the expiration of refresh token.)

yeah I agree, to invalidate the token you need a storage. if you delete/block/logout the user they can still copy their cookies, unless it is in server side

That's exactly what it means, I usually store the refresh token in a db and check if it's still there when the user asks for a new access token. The benefit is that you can delete (invalidate) the refresh token by removing it from the db, so when the user asks for a new access token they can be logged out if I can't find the refresh token id in my db

@@pablofernandezruiz8024 do you store the refresh token in user device i.e cookies?

@@pablofernandezruiz8024this sounds interesting, but I’m a little confused on the implementation of it when a user asks for a new token how do you confirm the user identity? Is there a name for this approach that I can look up more information on?

@@pablofernandezruiz8024 well that defeats the whole purpose of JWT, it is meant to be stateless.

At this stage, it doesn't make sense to use jwt if we are maintaining the state in the backend for sessions. Just use a session token.

Use matomo or ContentSquare.

In this case, I suggest using Redis as a block list since it is more efficient than storing sessions for all users, and it will require less storage space.

What are yhou doing in redis with token?

Same doubt

What is the point of jwt if you still need to query db for every request

⁠@@twitchizleWell you can use a redis bloom filter for invalidated tokens. So it wouldn’t be a costly check. But yes that’s the cost of immediate invalidation while continuing to use JWTs and that’s the point you’re seeking.

@@je_suis_onur but one can still use session token instead of jwt if they are willing to query db for invalidation. Jwt loses its purpose if you query db for auth.

​@@twitchizle Difference is you have to cache every active session in Redis if you're using sessions, instead of a handful invalidated ones and just for a while (like 30m or so). Also session IDs don't give you the user information, that needs to be queried or cached separately while JWTs generally do. So the cost of total memory needed in Redis is much much much lower.

@@je_suis_onur Nothing stops you from putting information in a session ID. It's just generally not needed since majority of the data needed from that request is stored externally anyway. Constant sized session IDs are used exactly because they are fast to lookup. Chances are that the overhead of reading, de/serializing and verifying the token is greater than lookup a session ID. With something like redis or memcached you get expiration for free with no additional information or validation attached to the ID, since each entry can store its own TTL. Any form of trying to implement revalidation mechanisms for JWT is only adding more overhead and complexity that is not proportional with the proposed problems that it aims to solve.

Refresh token are stored on server and when logout action is performed corresponding refresh token is deleted, so that new access token cannot be created.

@@iajaydandge this widely varies. if you''re going to the db anyway, this reduces the stateless nature of jwt. idk if this is wrong or right, i myself have done this and have been questioned a few. some suggest having blacklist instead of active refresh token which again concerns a db/redis. this just varies according to the required security level.

@@bisw4sh Right. I forgot to mention the blacklist part. Still we will need a db/redis for blacklisted token. But db access is less as compared to session based auth.

We store our refresh tokens in the same column our old services saved their session id's, when someone requests a refresh we are able to check for whom it belongs to, and regenerate a jwt for that account. Can easily just remove the saved token to prevent further refreshes. Though this doesn't solve that the token will be valid until it expires. The best way of handling this, and keeping the contents of the tokens secure is the phantom or split token way, where you have some reverse proxy or middleware that keeps the proper token in cache and the client gets an id which is used to get the jwt. This makes it a session id approach for the client, but the backend can still get the benefits of jwt.

@@bisw4sh storing identifiers of refresh tokens after generating and issuing them is not a big problem with JWTs. Because, as mentioned in the video, the frequency of usage of refresh tokens is fairly limited - units of requests to refresh a token within an hour vs hundreds/thousands of requests per issued access token within its lifespan. Thanks to this, the storage service for refresh tokens requires much less scaling, because the amount of requests to it is marginal.

you store refresh tokens on the server, that means you can revoke them

​@@pudgebooster wrong.

Actually you need 2 tokens. Because, access token holds the updated user info, refresh token is needed to update the user info. If you had no refresh token, user would need to log out and log in again to update the user info.

Just throw away the jwt!

You put sensitive data in session objects?

@@furycorp If the session object contains related user account fields they are deemed sensitive and should be encrypted. As I mentioned "In case", since organizations have liberty to define what Auth session would look like.

By invalidating the refresh token. But typically there is no session so what logging out mean?

You can use asymmetrical encryption instead

1. Session auth is actually more secure than jwt because it exists only on the server and can be revoked. 2. JWT is quicker and easier to implement since it works by trusting that the token was issued by the server. If you store all the necessary data in the token's payload, then you don't need to make a database search everytime you ask access to the API. 3. Scaling in what sense? Are you planing on doing microservices? If so, then you should use jwt if you want an eash solution. You could have a centralized cache db for sessions too though, although that's more money. Normally, apps start as a monolithic layered app, a frontend, a backend and a database since that is easier to make and can be deployed in a shorter time. This means you can actually just start with a simple session auth and call it for a day. If you REALLY expect millions of request tou your server in short periods of time, then you should start with microservices and JWT.

Yes, but space is limited.

@@notDacian This approach kind of mimic the session based auth but using jwt. The jwt based auth meant to be stateless so that you don't have to store user associated tokens on server.

@@iajaydandge Well i said its a hybrid approach, witch has its advantages and disadvantages. For modern JS webapps JWT's are kind of the default way of doing auth.

Computers can be hacked, what do you mean a refresh token can be hacked?

Do you know any resource where I can look it to understand well this approach that you've mentioned? Thanks in advance.

So... I store the token on redis and i return the session id to the client, so each requests goes to that specific redis entry, get the token and validate it as a normal jwt? That actually sounds like a pretty interesting approach. No unnecesary db reads and the security provided by a session approach

1) you do not store sensitive info in a jwt. This is advised in its spec 2) you just swapped the jwt storage on the client side with an extra cookie? How is this different in terms of being compromised?