Access tokens and JSON Web Tokens (JWTs) are widely used in modern web applications as a means of authentication and authorization. An access token is a kind of credential that represents the authorization granted to a client to access a protected resource. JWTs, on the other hand, are a type of access token that is used to securely transmit information between parties as a JSON object.

While JWTs are essential for secure communication between clients and servers (or server to server), managing their lifecycle and ensuring their security can be challenging. In particular, it is important to have mechanisms in place to invalidate access tokens when they are no longer needed or when they are compromised, in order to prevent unauthorized access to protected resources.

In this blog post, we'll explore best practices for invalidating access tokens, including token revocation and rotation, and how to implement these mechanisms in OAuth2 and OpenID Connect. By following these guidelines, you'll be able to improve the security of your web application and protect sensitive user data from unauthorized access.

Access Token Lifetime Management

One way to manage access tokens is by controlling their lifetime. Access tokens have a limited lifespan, and they expire after a certain amount of time, after which they are no longer valid. The expiration time can be set by the server like the OpenID Connect Provider (OP) when the token is issued or updated when the token is refreshed.

There are several benefits to controlling the lifetime of access tokens. First, it helps prevent unauthorized access to protected resources by limiting the window of time during which a stolen or compromised token can be used. It helps reduce the risk of token replay attacks, where an attacker intercepts a valid token and uses it to access protected resources.

When setting the lifetime of access tokens, it is important to strike a balance between security, cost, and usability. A token that expires too quickly can be challenging for performance or cost because the client will need to refresh the token frequently which can be resource-consuming. You can't allow having a slow refresh token during traffic peaks since the user will have the application usability impacted. While a token that lasts too long can increase the risk of unauthorized access.

Best practices for access token lifetime management include setting a reasonable expiration time based on the sensitivity of the data being accessed, using short-lived tokens for high-risk operations, providing a mechanism for token refresh, and logging token usage to detect anomalies and suspicious activity.

In the next section, we'll explore mechanisms for invalidating access tokens when they are no longer needed or when they are compromised.

Token Revocation Mechanism

Another way to manage access tokens is by revoking them when they are no longer needed or when they are compromised. Token revocation is the process of invalidating a token before it expires, thereby preventing it from being used to access protected resources.

If you want to immediately revoke a JWT access token and ensure that every API that relies on it will stop accepting it, you can use this mechanism. This can be useful in case a user logs out of your application or if you suspect that a token has been compromised.

Blacklisting

To make the revocation possible you have to use a blacklisting mechanism which involves maintaining a list of revoked tokens on the server side. When a token needs to be revoked, it is added to the blacklist, and subsequent requests with that token will be rejected.

There are different approaches to token revocation, depending on the protocol you are using. For example, in OAuth 2.0, you can use the token revocation endpoint to revoke access or refresh the token. In OpenID Connect, you can use the backchannel logout feature to initiate a logout from all clients that are currently using the token.

Token Introspection

Token introspection is a mechanism that allows clients to query the server to determine if a token is still valid. When a client needs to validate a token, it sends a request to the server with the token, and the server responds with information about the token's validity.

Token revocation can be an effective mechanism for revoking tokens, particularly in distributed environments where clients may not have direct access to the server. But it has some drawbacks. First, it requires additional server-side infrastructure to maintain the blacklist, which can be a performance and scalability bottleneck. Second, blacklisting is only effective if the token is checked against the blacklist on every request with the token introspection which can introduce additional latency and overhead and may create a Single Point of Failure (SPoF) in your architecture.

Token Rotation

Token rotation is a mechanism for managing access tokens by regularly issuing new tokens and revoking old ones. This can help mitigate the risk of token replay attacks and reduce the impact of a compromised token.

Token rotation typically involves issuing a new access token and a new refresh token each time a user logs in or refreshes their token. The old access and refresh tokens are immediately revoked, and subsequent requests must use the new tokens.

Token rotation can be implemented using a variety of techniques, including time-based rotation, event-based rotation, and hybrid approaches. Time-based rotation involves rotating tokens at regular intervals, such as every hour or every day. Event-based rotation involves rotating tokens in response to specific events, such as when a user's password is changed or when a high-risk operation is performed. Hybrid approaches combine time-based and event-based rotation to provide a balance of security and usability.

Token Revocation and Rotation with OAuth2 and OpenID Connect

OAuth2 and OpenID Connect provide several mechanisms for token revocation and rotation.

OAuth2 Token Revocation

datatracker.ietf.org/doc/html/rfc7009

OAuth2 defines a token revocation mechanism that allows clients to request the revocation of an access or refresh token. The revocation request is sent to the token revocation endpoint, which is a new endpoint defined in the OAuth2 specification. The request includes the token to be revoked and an optional reason for revocation.

POST /oauth/revoke HTTP/1.1
Host: authorization-server.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic <basic-header>

token=<token>

OpenID Connect Back Channel Logout

openid.net/specs/openid-connect-backchannel-1_0

OpenID Connect also provides a logout back channel, which allows a user to log out of all applications that were authenticated using OpenID Connect. The logout back channel is initiated by the user or a client application and is intended to terminate the user's session across all applications that use OpenID Connect.

When the user initiates a logout request, the client application sends a request to the OpenID Connect provider's logout endpoint. The logout endpoint then sends logout requests to all the applications that have a valid session for the user.

The logout back channel is an important mechanism for ensuring that user sessions are properly terminated when the user logs out of an application or when their session expires. This way all the tokens issued for the expired session should be revoked.

Token Rotation

Token rotation in OAuth2 and OpenID Connect can be achieved using several mechanisms, including short-lived access tokens, longer-lived refresh tokens, and the use of token introspection.

OAuth2 defines refresh tokens as a mechanism for obtaining new access tokens without requiring the user to re-authenticate. Refresh tokens can be rotated by issuing a new refresh token each time an access token is issued (rotating refresh token), and immediately revoking the old refresh token. This ensures that only the latest refresh token can be used to obtain a new access token.

Conclusion

Access token management is a critical aspect of securing web applications and APIs. Access tokens, such as JSON Web Tokens (JWTs), allow users to access protected resources without requiring them to repeatedly authenticate with the server. However, if access tokens are not properly managed, they can become a security risk.

To mitigate these risks, organizations should implement best practices for token management, such as keeping tokens short-lived, using strong encryption and signing algorithms, monitoring token activity, and implementing revocation mechanisms. OAuth2 and OpenID Connect provide several mechanisms for token revocation and rotation, including refresh tokens, token introspection, and token revocation endpoints.

By following these best practices and leveraging the capabilities of OAuth2 and OpenID Connect, organizations can effectively manage access tokens and protect their users and their data from unauthorized access and malicious attacks.