| ▲ | nine_k 7 hours ago |
| > if you have to check an identifier for revocation on every request you could just use an opaque session ID and look that up on every request instead! One reason could be the size. A revocation list only needs to keep session IDs of recently logged-out sessions, for which the token's TTL hasn't yet expired. It may be a much smaller list than a list of every active session. Also, a JWT (or a Macaroon, etc) can store a large amount of details about the session in a cryptographically secure, unforgeable way. This rids you of the necessity to store all that in your active session database, again cutting the size. |
|
| ▲ | agwa 7 hours ago | parent | next [-] |
| As someone who operates a PostgreSQL database containing 27 billion SSL certificates, each 1-2kb each, with a bunch of secondary indexes that get inserted in random order, I find it pretty incredible that people see the need to optimize their session database. At what scale does the size of the session database actually matter? Those stateless tokens may be "unforgeable", but they are replayable, and if you're not mindful of that you can have security vulnerabilities. |
| |
| ▲ | mewpmewp2 5 hours ago | parent | next [-] | | I think one meaningful case is when you have services in very different locations and you would rather than having to make a request to a session store in a single location, replicate the data to each location for better latency, so in this case a revocation list. | |
| ▲ | hparadiz 7 hours ago | parent | prev | next [-] | | You should do some basic optimizations. Fixed length table and indexes on the unique string for fast lookups. I also like to do a rolling delete for old sessions after 30 days unless mobile session that is logged in. Those get to live forever. | | |
| ▲ | agwa 6 hours ago | parent [-] | | Fair enough, but those optimizations are basically free. People think stateless tokens are free but they really are not. | | |
| ▲ | hparadiz 6 hours ago | parent [-] | | The cost of the stateless token is basically the CPU usage for signing the message and checking the signature with the public key on the client. Example: Google Compute Instance asks metadata server for OIDC token (which is a JWT). The metadata server respond with the token that basically says "here's the machine service account, here's the machines ID, this token is proof that I am service account abc123 and it's valid for 20 seconds". This is one of the most common uses of JWTs in enterprise. You don't store them. They actually are free. Lots of web devs get tricked into using them as primary session tokens and it's a huge anti pattern. I see it all the time and people get aggressive about it. | | |
| ▲ | agwa 6 hours ago | parent [-] | | The cost is the vigilance required to use them safely. It's not just compute/storage costs. | | |
| ▲ | hparadiz 5 hours ago | parent [-] | | I didn't downvote you. You're absolutely right. Implementation of anything is work. |
|
|
|
| |
| ▲ | stickfigure 2 hours ago | parent | prev [-] | | The issue isn't size, it's load. |
|
|
| ▲ | saganus 4 hours ago | parent | prev [-] |
| I am still waiting for Macaroons to be used widely. I think they are a fantastic invention. It seems they were not of very much use in the past, but with the agentic-everything now, I see this as a great way of delegating permissions to subagents, third-party agents, etc. Working on something along these lines but unfortunately I cannot dedicate as much time as I'd like. Still, if anyone is reading, give Macaroons a try! |
| |
| ▲ | jiveturkey 3 hours ago | parent [-] | | JWTs can do that (delegate) and such capability is already well defined. | | |
| ▲ | saganus 2 hours ago | parent [-] | | Maybe I stated it wrong. Macaroons have the ability to attenuate the restrictions _without_ contacting the auth server, which makes it IMO fit for restricting and attenuating as much as you want, without much cost. If I need a roundtrip to the auth server to attenuate, I am not necessarily going to do it as often. |
|
|
