Daniel Fanara wrote this article about more advanced topics of managing secure JSON Web Tokens (JWT). They are great for representing a user’s authentication / authorization state without needing to maintain a server-side session store.
This makes them great for highly scalable environments since you won’t have to connect to a central location to verify the validity of a token. However, this exposes your applications to another problem that isn’t exactly trivial either.
What do you do when a single token is compromised? Short of invalidating all of your users’ tokens by forcing a global key change, there’s really nothing you can do. There are, however, some best practices you can follow to ensure your tokens remain secure. The article then covers in some detail:
- Expiring and refreshing tokens
- Choosing the right signing algorithm
- Symmetric signing algorithms
- Asymmetric signing algorithms
- Managing your signing keys
You will also get credible sources in this article to provide you with accurate best practices and recommendations.[Read More]