Once considered a horrible, difficult task, one company has figured out how to revoke JSON Web Tokens (JWTs) with little impact on a security token’s portability.

In this video:

Getting Started

To start using webhooks as demonstrated, sign up for a Passport account. You can find the example application built for this live coding event on Github here: https://github.com/inversoft/passport-bluemix-example. You can also read “Getting Started with Inversoft Passport on IBM Bluemix” for step by step instructions.

Abstract

JSON Web Tokens (JWTs) are a popular option in the authentication space, but there are some inherent risks. While you gain flexibility by using a JWT, you lose the ability to revoke a token once it’s issued. To minimize the time between an administrator locking a user account and the time at which a previously issued token expires, the JWT should be short lived. This time window, while designed to be brief is a common security concern. Traditional solutions to this problem defeat the benefits of using a portable identity. Inversoft has come up with a novel way to solve this issue in a complementary method. Brian Pontarelli will cover how to implement this JWT revoke strategy to reduce the vulnerability window.

Recap

A JSON Web Token (JWT) is a JSON object (an unordered collection of name/value pairs where the names are strings) that is supposed to be a safe way to represent a set of information between two parties. JWTs are a stateless authentication mechanism since the user state is never saved in server memory; that is one feature that makes them so portable. The token is composed of a header, a payload, and a signature, like this:

header.payload.signature

The header identifies which algorithm is used to generate the signature. The payload contains the claims to make. The signature is calculated by base64url encoding the header and payload and linking them together using a period as a separator.

For example, an authentication server could issue a token to a user that recognizes the user’s login as that of an administrator, like this: "loggedInAs":"admin".

The way a JWT works is that User signs into an authentication server. The server creates the JWT and sends it to User. When User makes an API call to the app, the token goes with it. The app server is set up to verify the JWT was created by the auth server. That way, the app server uses the JWT to verify that the API call is coming from authenticated User.

Once the identity provider signs the key, User can use the token on any service that has the public key until the token expires. That is one powerful token.



The token-based architecture.

JWTs are a popular option for authentication because they are flexible, but there are some risks. For one, you lose the ability to revoke a token once it has been issued to the user. It will expire, but during that time window, it is a security concern. You could also implement blacklisting techniques, but that is a complicated task.

About Brian Pontarelli

Brian Pontarelli is the CEO of Inversoft, a Denver-based company that allows developers to offload their authentication, authorization and user management needs. Before Brian bootstrapped Inversoft, he studied computer engineering at the University of Colorado Boulder. After graduating, he worked at a variety of companies including Orbitz, US Freightways, XOR and Texturemedia.

developerWorks Live Webcasts

Live coding demos, webinars, and “ask me anythings” from IBM developerWorks.

Subscribe by emailSubscribe on YouTube

Join The Discussion

Your email address will not be published. Required fields are marked *