Access Revocation and Renewal

JWT Tokens and Access Revocation

Jiffy applications do not direct support the revocation or automatic renewal of JWT tokens. Instead, a cross-process cache of User information is maintained via a group-membership service. The service ensures that changes to User information (create/update/delete) are disseminated to all running instances of the Jiffy generated application. Consequently, in Jiffy-based applications it makes sense to discuss User access revocation from the perspective of an administrator making a call to the user-API to perform general User deletion or deactivation. Such changes are affected in the backend database, and then updated in the application server caches by way of the web-sockets-based group-membership service.

User Access Revocation Example

Conditions

  1. User ‘tester@test.com’ has access to a number of services in a Jiffy-generated application. We now wish to remove access from this user.
  2. The JWT lifetime in our test system is set to 12 hours.
  3. tester@test.com has a current and valid JWT that will expire in 8 hours.

Revocation Steps

  1. A user with administrative privileges in the Jiffy-generated application makes a call to the Usr service of the Jiffy-generated application to deactivate the ‘tester@test.com’ account. This call can be made to any running instance (node) of the application.
  2. The call updates the Usr record in the backend database.
  3. On confirmation of the successful update to the Usr record, the Usr controller of the node that made the deactivation request will disseminate the new status of the Usr record to the other group-members (nodes). Each group-member will update their Usr cache with the new information.
  4. The user will no longer be able to login to the application.

Revocation Results

  1. If the user attempts to login to any of the application instances, the middleware will see that the Usr has been deactivated when it checks the Usr cache and the login will be rejected.
  2. If the user has a valid JWT, but their access has been revoked as described in the previous steps, all attempts to access application services will be denied.
  • The JWT remains valid.
  • The JWT contains the user’s ID.
  • The route middleware examines the JWT Claims for every call made to the application services.
  • The UID claim in the JWT is used by the middleware to read the Usr cache.
  • In this example, the middleware cache will indicate that the user is no longer active.
  • This approach allows us to focus on the maintenance and buffering of the persistent object (Usr) rather than trying to maintain/cache the transient JWT.

These steps are the same whether a user is being disabled, being granted more access, or having access to certain services revoked.

JWT Token Expiration

Jiffy application JWTs contain a standard set of registered claims as outlined in RFC7519 . Login to a jiffy generated application results in the creation of a new JWT where the standard ‘exp’ claim is set based on the value of the ‘jwt_lifetime’ key in the application’s configuration file. When the current (server) date-time exceeds the value contained in a JWT’s ‘exp’ claim, the token is no longer accepted by the application. After JWT expiration, the used is forced to login again.

JWT Token Renewal

It would be possible to alter the Jiffy application to create self-renewing JWT’s. Doing so would mandate that the client developer compare the Authorization field in the response header to the one that was sent in the request. For now, the strategy is to have the application configuration set a JWT validity of ~12 hours, and then force the user to login again once the time limit expires.

On one hand, this approach to (not supporting) JWT renewal means that the client/consumer of the RESTful services need not worry about checking the JWT content at the end of each exchange. On the other hand, the current strategy may be a concern in system-to-system interfaces especially where it is not acceptable to set a very long JWT expiry limit in the configuration.