(iat + valid time frame)
I want to include iat, exp and jti claims in order to protect from replay attack.
Stanković Vlada

Hi Stanković, thanks for your comment and sorry for my late response.

I see a solution to your problem that does not implies token refreshing but a Redis store:

You could store all the jtis of emitted tokens in the following way:

  • key: token jti
  • value: token status

Where `token status` would be something in:

  • unused: this means the token has been issued but has not been used. If you timestamp the tokens, you would be able to know which ones have been used during the authorized time-frame,
  • revoked: for revoked tokens whose expiration time is not yet happened.

Tokens which are not in the store are valid if their expiration date is still in the future.

Does that answer your question ? Do not hesitate to contact me again, I would be happy to share ideas with you !


Show your support

Clapping shows how much you appreciated Vladimir de Turckheim’s story.