This is blog

This is blog

Uncategorized 

Tokens

admin 0 Comments , , , ,

Self-contained tokens: 

Pros –

  • Actual tokens contains information about a given subject making them a good choice for implementing stateless authentication mechanisms in other words no sessions are needed.
  • PingFederate uses JSON Web Tokens as their self-contained tokens. It defines a compact and self-contained mechanism for transmitting data between parties in a way that can be verified and trusted because it is digitally signed.
  • The encoding rules of a JWT also make these tokens very easy to use within the context of HTTP.
  • PingFederate can optionally accepts request parameters via self-contained, signed JWTs. This capability enables PingFederate to validate the integrity of the request parameters it receives before processing the request further.
  • They are capable of including a state hash (s_hash) in the ID token to protect the integrity of the state parameter.
  • Plenty of platforms include JWT validation libraries (.NET, PHP, Node, Python, etc)
  • Future proof

Cons –

  • Anyone can inspect contents (see https://jwt.io/), so if token is hanging around in a log somewhere or intercepted somehow all claims or other information in the token can be read, even if token is expired
  • Claims are stored within the token, which is convenient but token size could get large if there are a lot of claims (probably not an issue in real-world scenarios)
  • Token expiration is in the token itself, so even if users sign out their tokens will still be valid until they reach their expiration
  • If one becomes compromised, it can be used without restrictions by whoever possesses it. For self-contained tokens, revocation is a lot trickier. Therefore, it is strongly recommended to keep the lifetime of access tokens as short as possible. Token lifetimes of minutes or hours are quite common. Lifetimes of days or months are not recommended. If possible, short-lived access tokens should be combined with refresh tokens to improve security.

Reference Tokens: 

Pros –

  • A compromised reference token can be revoked by the authorization server making it a lot easier to revoke than a self-contained token
  • Minimal configuration required
  • Resource servers can validate tokens without having to contact authorization server
  • Token sizes are very small regardless of number of claims because they only contain ids
  • Issued tokens are tracked in data store
  • Can immediately be revoked

Cons –

  • Requires a connection to a datastore. Resource servers may not want to have to reference a given database
  • Because only ids are in the access tokens, a call to the database is required for every request 

Leave a Reply

Your email address will not be published. Required fields are marked *