Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blacklisted tokens can still be refreshed #36

Closed
ashokdelphia opened this issue Mar 2, 2020 · 3 comments · Fixed by #37
Closed

Blacklisted tokens can still be refreshed #36

ashokdelphia opened this issue Mar 2, 2020 · 3 comments · Fixed by #37

Comments

@ashokdelphia
Copy link

If you configure an app to allow blacklisting tokens and turn JWT_ALLOW_REFRESH on, then you can still operate the refresh endpoint using a blacklisted token, which allows you to side-step the fact that the token is invalidated.

@ashokdelphia
Copy link
Author

There's a more nuanced problem where invalidating a token doesn't do anything to any related tokens that could still be valid.

For example, if you authenticate to create token A, then refresh it to get token B, but A is still valid, then blacklisting token B only prevents that exact token (reasonably enough). It might be worth adding a way to blacklist the whole family of refreshed tokens, by adding a common identifier for the initial authentication, but that's well beyond the scope of what I'm seeking to fix here.

Alternatively, if we were to add something that prevented a token being refreshed more than once (which I would see as a reasonable restriction, although possibly annoying to enforce), then we could potentially use the same mechanism to prevent the 'antecedents' of refreshed tokens from being used, too.

@fitodic
Copy link
Collaborator

fitodic commented Mar 3, 2020

We did set out to implement JWT blacklisting as described by Auth0, including the refresh tokens upon usage, but we ran out of time and resources due to other issues. I've added the links above so anyone who reads this issue knows what was the original intention and based on you comment, figures out what's left to do.

I agree with everything you've pointed out and would like to see this change land, either by reviewing it or doing it myself, but we are a bit short on time at the moment, hence the basic blacklist functionality.

@ashokdelphia
Copy link
Author

@fitodic: That's good to know. I can probably find some time soon to add support for token identifiers and/or improvements around refresh tokens. I'll hopefully let you know in the next few weeks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants