DEV Community

Cover image for How to invalidate a JWT using a blacklist

How to invalidate a JWT using a blacklist

Tosin Moronfolu on March 08, 2021

This article is going to show you how to invalidate JWTs using the token blacklist method. The token blacklist method is used when creating a logou...
Collapse
 
bartosz_io profile image
Bartosz Pietrucha

If you are using JWT, you want your authorization system to be stateless, right? šŸ™‚. When you introduce blacklisting, you make your authorization stateful! What sense does it make?

This ends up maintaining the list of "logged out", so why not maintain the list of "logged in" and DO NOT use a self-contained token (that exposes the content to anyone), but an opaque token (like session-id) and manage the session on the server. Server-side sessions are by design more secure and logging out isn't any problem.

TL; DR: Blacklisting stateful tokens does not make sense (despite the hype around JWT and cool blacklisting "technique", which probably is fun in developing šŸ¤·ā€ā™‚ļø).

Collapse
 
phlash profile image
Phil Ashby

Good question - from work I did designing a JWT based authorisation system, we concluded that a store of invalidated but within expiry tokens would be several orders of magnitude smaller than a list of valid, in use tokens, so this significantly reduces the work/load/networking required to provide token safety through a stateful revocation mechanism.

In our case we were happy to accept the risk of a transient session token being used at any point within it's issued lifetime (an order of minutes), but wanted to revoke long-term tokens used for API keys (lifetime of months) within a similar order of minutes. We chose to publish revoked token identifiers (via their unique jti field) internally to consuming services at the same time as we published the JWT signing keys, by extending the OpenID connect metadata documents that all services regularly collect (order of minutes) from our source of truth / authentication database. Auth0 blogged a similar approach a number of years ago that was our inspiration: auth0.com/blog/denylist-json-web-t...

Collapse
 
bartosz_io profile image
Bartosz Pietrucha

Hi there! So you were maintaining a "small" list of invalidated tokens that still hadn't expired? If yes, did this approach include periodical scanning for expired tokens? Was this really advantageous compared to regular sessions with opaque tokens?

Thread Thread
 
phlash profile image
Phil Ashby

Yes, the list was 10s of token IDs, owned and updated (hourly IIRC) by an authentication service, and critically, published as a static JSON file to a global CDN. Advantages are: zero coupling between global systems and authentication service (unlike opaque tokens that require a much more coupled global store); very little coupling between the many autonomous global development teams consuming this information in their own services (this was important for our 1000+ people, multi-company global org!).

Thread Thread
 
bartosz_io profile image
Bartosz Pietrucha

Interesting! What if these global development teams didn't check against this JSON file? Just thinking aloud about the practical perspective. Was there any mandate on this?

Thread Thread
 
phlash profile image
Phil Ashby

There was a mandate, as part of the global common user management function (which included a set of acceptance tests that had to pass).

Thread Thread
 
bartosz_io profile image
Bartosz Pietrucha • Edited

Interesting case. So this was implemented for long-lived API tokens (order of months)? This must have been a very detailed design process for such an architecture, haven't been?

I believe you had scalability challenges to tackle! Just curious: standard OAuth with rotating refresh tokens was not feasible?

Was the ratio between active long-lived API tokens (many) and invalidated ones (few) one of the deciding factors?

Thread Thread
 
phlash profile image
Phil Ashby

Yes, we looked at the risk of accepting tokens over different timescales, and concluded that only API keys were a material risk to us (use outside of contract, reputation loss), most of the risk of shorter term token misuse was carried by our customers as it would be their account that got billed if they leaked a token. I should note that the majority of our customers (80%+) used our API integration, not the browser-based UI (for which we had standard OAuth with rotating session tokens and refresh tokens with lifetimes on the order of a few days).

At the time I retired, we were handling ~1billion API calls a day globally.

Thread Thread
 
bartosz_io profile image
Bartosz Pietrucha

Great use case! What a scale!

Collapse
 
chukwutosin_ profile image
Tosin Moronfolu

Amazing, would definitely look into. Thank you!

Collapse
 
chukwutosin_ profile image
Tosin Moronfolu

Thank you for your feedback. You have a point, I use sessions also and it works as you've said. There are many ways to go about things, that's how code works, there isn't one way to it. I'm just sharing my knowledge, I didn't say this is the best way or most secure to go about it. Sessions have their flaws as do JWTs, it's just another way. You have your opinion and I'm happy you shared it. Thank you again.

Collapse
 
bartosz_io profile image
Bartosz Pietrucha

What are the flaws of sessions (in comparison to this "JWT blacklisting")? I am not sure I understand your point.

Collapse
 
meatboy profile image
Meat Boy

Great article :) JWT is an awesome topic.
Protip: you can use pub/sub model of Redis to notify the app about new tokens. However, the main JWT has to be stateless like you mention and possible to verify without additional calls so a better approach is to blacklist refresh tokens and make general token live very short.

Collapse
 
chukwutosin_ profile image
Tosin Moronfolu

True, this is another way to go about it. Thank you for the feedback

Collapse
 
hessman_ profile image
Anthony Domingue • Edited

I think it is not a good idea to add a JWT token to a denylist as it is encoded in base64... You can add "==" to the end of your token to bypass the denylist check and login.

Collapse
 
chukwutosin_ profile image
Tosin Moronfolu

That's if the user somehow gets access to the token and sends it with a request, which is very hard expect they're some hacker or something. And adding extra characters to the end of the token will make sure it's invalid and the verify token middleware checks for that.

If I didn't get you right, please explain.

Collapse
 
hessman_ profile image
Anthony Domingue • Edited

The token is in the header "Authorization" right ? Any user can update the Authorization token in the request. Maybe it's not easy for everyone but it is possible.
JWT is encoded in base64, but in base64 you can add padding with "=" without changing the encoded message. "Hi dev.to !" in base64 is "SGkgZGV2LnRvICE=" but also "SGkgZGV2LnRvICE==" or "SGkgZGV2LnRvICE===".
So if you check the encoded token in the denylist you can just add "=" at the end of the token to bypass the denylist and use the token without changing the decoded value.
Here is the RFC for the base64: tools.ietf.org/html/rfc4648

Thread Thread
 
chukwutosin_ profile image
Tosin Moronfolu

Oh wow, didn't realize this. Thank you for sharing. Will check it out.

Thread Thread
 
phlash profile image
Phil Ashby

This is why our design revoked tokens via their jti field, which is not changeable provided the tokens are correctly signed (with an RSA or elliptic curve key pair). it does require all tokens to be parsed, but we can delegate that to a trusted library that should be resistant to attack...

Collapse
 
iamdoctorj profile image
Jyotirmaya Sahu • Edited

But then we need to scan the redis store at some intervals to ensure removal of expired tokens.

Collapse
 
chukwutosin_ profile image
Tosin Moronfolu

You could If you want to, but it would be redundant as the expiry date works automatically to ensure it is removed at the set date. Since the expiry date is the same as the one on the token itself, I don't think there is need to check at intervals anymore

Collapse
 
iamdoctorj profile image
Jyotirmaya Sahu

Yes, correct. But, my point is the expired tokens would pile up eventually consuming a significant part of the store memory at some point of time.

Thread Thread
 
chukwutosin_ profile image
Tosin Moronfolu

True, thank you for the feedback.

Thread Thread
 
phlash profile image
Phil Ashby

Maybe choose a shared/distributed store that supports automated expiry of records (eg: MongoDB, Zookeeper, etc.), or can execute scheduled jobs (yes, SQLserver could be the right answer :))

Thread Thread
 
chukwutosin_ profile image
Tosin Moronfolu

Thank you for this, I appreciate it!