undefined | Better HN

0 pointsdflock3y ago0 comments

It's really trying to solve a problem they created by statlessly handing out tokens instead of keeping session state on the backend - they have no way to revoke a token once issued, so long lived tokens are a liability. Solution? More complexity! Hand out very short lived tokens, along with a slightly longer lived refresh token, which only allows you get a new bearer/access token.

0 comments

7 comments · 2 top-level

ikiris3y ago· 3 in thread

You're free to handle a billion qps in authentication requests if you want. I don't suggest it.

asdfman1233y ago

Greatly reducing hosting costs at the expense of making someone else do a little more work sounds like a win to me.

paulddraper3y ago

Don't the clients have to do a billion qps as their retrieve access/refresh tokens from their data stores?

migf3y ago

Yeah, but it's a negligible rounding error of cpu time for each client.

Distributing this work ironically makes it much easier to centralize the authentication.

rad_gruchalski3y ago· 2 in thread

Don't they still require some state to be able t invalidate refresh tokens?

radlad3y ago

Yes, but checking refresh tokens will occur much less frequently than checking access tokens. So you can imagine, for example, access tokens being JWT, so they are cheap to check. But every so often you have to validate the refresh token against MySQL (or BigQuery or what-have-you), which is more expensive.

rad_gruchalski3y ago

That's all clear to me. But technically there exists a method to revoke an issued token. It's just that long lived tokens mean potentially lots of them == increased storage cost. It would be pretty silly not to check for revocation. How would one implement logout otherwise? Relying on just clearing session cookies? What if I obtained those cookies using something else than a browser and I can hold on to the cookie jar? Not checking for revocation == doing it wrong.

The purpose of a refresh token to allow the app to short circuit the login process. Regardless of how long the token is issued for. It's perfectly okay to ignore refresh tokens altogether, if one wants to.

2 more replies

j / k navigate · click thread line to collapse