| ▲ | zsoltkacsandi 6 hours ago | |||||||
> With JWTs you don'T have a list of valid tokens as state, but only a list of invalid ones (revoked). Yes, and a lookup operation is a lookup operation. Your database or data structure used for storing the sessions/JWT revocation entries won't really care whether you look for things that are active or things that are inactive/revoked. If you store it in the right database, both lookups will be O(1), so it is the same (or at least the difference is negligible), regardless of the size. | ||||||||
| ▲ | littlecranky67 6 hours ago | parent [-] | |||||||
The story changes if you have a distributed database. replicating a smaller revocation list (that is append only) that will never be more than a couple of MB, is easier to do accross distributed nodes around the world than keeping a larger, session state db replicated. Heck, your revocation list can even be public (it contains only a list of substring of a few bytes of hashes). Syncing sessins can be done, no question, I would just think JWT+revocation db is easier to implement, yet robust. | ||||||||
| ||||||||