undefined | Better HN

0 pointsetherealkatana7y ago0 comments

Can you please elaborate on this?

0 comments

The JWT specification defines a payload attribute named jti which is used to store the token's nonce/id.

To avoid replay attacks, the backend adds the token's nonce to a scratchpad memory when the token is used in order to invalidate the token even if the expiration timestamp isn't reached.

If a JWT implementation is implemented to ignore replay attacks or even token expiration, the jti can still be used to invalidate tokens.

j / k navigate · click thread line to collapse

0 comments

geezerjay7y ago

The JWT specification defines a payload attribute named jti which is used to store the token's nonce/id.

To avoid replay attacks, the backend adds the token's nonce to a scratchpad memory when the token is used in order to invalidate the token even if the expiration timestamp isn't reached.

If a JWT implementation is implemented to ignore replay attacks or even token expiration, the jti can still be used to invalidate tokens.

j / k navigate · click thread line to collapse