1.
Similar to the practice in Session authentication : this scheme is
1. Tokens are still valid in scenarios such as logout
Specific similar scenarios are:
1. sign out;
2. change Password;
3. The server has modified the permissions or roles of a user;
4. The user's account is deleted / suspended.
5. The user is logged out by the administrator;
This problem does not exist in the session authentication method,
because in the session authentication method, the server can delete
the corresponding session record. However, using token
authentication is not easy to solve. We also said that once the token is
sent, if the backend does not add other logic, it will be valid until it
expires. So how do we solve this problem? Checked a lot of
information and summarized the following schemes:
 Store tokens in an in-memory database : Store tokens in a DB.
Redis in-memory databases are a good choice here. If you need to
invalidate a token, you can simply delete the token from
redis. However, this will lead to the step of querying the existence
of the token from the DB each time a request is sent using the
token, and it violates the principle of statelessness of the JWT.
 Blacklisting mechanism : a way similar to the above, the use of in-
memory database such as redis maintain a blacklist, if you want a
token fails, then the token will be directly added to
the blacklist can be. Then, every time a token is used to make a
request, it will first determine whether the token exists in the
blacklist.
 Modify Secret : We create a dedicated key for each user. If we
want to invalidate a token, we can directly modify the key of the
corresponding user. However, this introduces greater harm than
the introduction of the first two in-memory databases, such as:1⃣️If
the service is distributed, the keys must be synchronized across
multiple machines each time a new token is issued. To do this,
you need to store the secrets in a database or other external
service so that it is not much different from session
authentication.2⃣️If the user opens the system in two browsers at
the same time, or the system is also opened on the mobile phone,
if it logs out of the account from one place, it is necessary to log in
again elsewhere. This is not desirable.
 Keeping tokens short-lived and rotating frequently : a simple
way. However, the login status of the user will not be persistently
recorded, and the user needs to log in frequently.
It is relatively easy to solve the problem that the token is still valid
after the password is changed. One way I think is better: use the hash
value of the user's password to sign the token. Therefore, if the
password is changed, any previous tokens will automatically fail to
verify.
2.token renewal issue
Generally, the token validity period is not recommended to be set too
long, so how to authenticate after the token expires, and how to
dynamically refresh the token to avoid users often needing to log in
again?
Let's take a look at the general practice in session authentication: if
the session is valid for 30 minutes, if the user has access within 30
minutes, the session validity period is extended by 30 minutes.
satisfactory for most scenarios. Assume that the validity period of
the token given by the server is 30 minutes. Each time the server
checks, if it finds that the validity period of the token is about to
expire soon, the server will regenerate the token to the client. The
client checks the old and new tokens every time it requests, and if
they are not consistent, it updates the local token. The problem
with this approach is that the request will update the token only
when it is about to expire, which is not very friendly to the client.
2. Each request returns a new token : The idea of this scheme is
simple, but it is obvious that the overhead will be relatively large.
3. The validity period of the token is set to midnight : this scheme is a
compromise solution, which guarantees that most users can log in
normally during the day and is suitable for systems with low
security requirements.
4. User login returns two tokens : the first is acessToken, whose
expiration time is the expiration time of the token itself, such as
half an hour, and the other is refreshToken, which has a longer
expiration time, such as 1 day. After the client logs in, the
accessToken and refreshToken are saved locally, and the
accessToken is passed to the server for each access. The server
checks the validity of the accessToken. If it expires, it passes the
refreshToken to the server. If it is valid, the server generates a
new accessToken to the client. Otherwise, the client can log in
again. The shortcomings of this program are:1⃣️Need client to
cooperate;2⃣️When the user logs out, it is necessary to ensure that
both tokens are invalid;3⃣️During the process of re-requesting the
token, the token may be temporarily unavailable (you can set a
timer on the client and when the accessToken is about to expire,
go ahead and obtain a new accessToken through refreshToken).
4. What is Token? What is JWT? How to authenticate
based on Token?
In the previous question, we explored the use of Session to authenticate
users, and gave several Spring Session case studies. We know that Session
information needs to be saved on the server side. This method will bring
some troubles, such as requiring us to guarantee the availability of the
session information server, not suitable for mobile terminals (depending on
cookies), and so on.
Is there a way to achieve authentication without storing Session information
yourself? Just use Token! JWT (JSON Web Token) is the implementation of
this method. In this way, the server does not need to save the session data. It
only needs to save the Token returned by the server to the client on the
client, and the scalability is improved.
JWT is essentially a piece of signed JSON-formatted data. Because it is
signed, the receiver can verify its authenticity.
Here is a more formal definition of JWT from RFC 7519 .
JSON Web Token (JWT) is a compact, URL-safe means of representing claims
to be transferred between two parties. The claims in a JWT are encoded as a
JSON object that is used as the payload of a JSON Web Signature (JWS)
structure or as the plaintext of a JSON Web Encryption (JWE) structure,
enabling the claims to be digitally signed or integrity protected with a
Message Authentication Code (MAC) and / or encrypted. ---- JSON Web
Token (JWT)
JWT consists of 3 parts:
Header: Metadata describing the JWT. Defines the algorithm for generating signatures
and the type of Token.
Payload (load): used to store the actual data to be transferred
Signature (Signed): server through Payload, Headerand a key ( secret) using a signature
algorithm Header inside specified (the default is HMAC SHA256) is generated.
In the application authentication based on the Token, the
server Payload, Headerand a key ( secret) creates a token ( Token) and Tokensent
to the client, the client will be Tokenstored in the Cookie or localStorage
which, after all requests sent by the client Will carry this token. You can put it
inside Cookie sent automatically, but this can not be cross-domain, so a
better approach is to put in the Authorization HTTP Header
field: Authorization: Bearer Token.

The user sends a username and password to the server for logging in to the system.
The authentication service responded and returned a signed JWT with the content of
who the user was.
Every time the user sends a request to the backend, he will bring JWT in the header.
The server checks the JWT and obtains user-related information from it.
5 What is OAuth 2.0?
OAuth is an industry standard authorization protocol that is mainly used to
authorize third-party applications to obtain limited permissions. OAuth 2.0 is
a complete redesign of OAuth 1.0. OAuth 2.0 is faster and easier to
implement. OAuth 1.0 has been abandoned. For more information,
see: rfc6749 .
In fact, it is an authorization mechanism. Its ultimate purpose is to issue a
time-effective token token for third-party applications, so that third-party
applications can obtain related resources through the token.
OAuth 2.0 is more commonly used for third-party logins. When your website
is accessed by third-party logins, it is generally the OAuth 2.0 protocol used.
Advantages of token authentication
Stateless
The token itself contains all the information required for authentication,
so that our server does not need to store Session information, which
obviously increases the availability and scalability of the system and
greatly reduces the pressure on the server. However, due to the
statelessness of the token, it also causes its biggest disadvantage: when
the backend discards a token or changes its permissions during the
validity period of the token, it will not take effect immediately.
Generally, it is necessary to wait until the validity period expires. In
addition, when the user logs out, the token is also valid. Unless, we add
extra processing logic to the backend.
Token authentication common problems and solutions
1. Tokens are still valid in scenarios such as logout
Specific similar scenarios are:
6. sign out;
7. change Password;
8. The server has modified the permissions or roles of a user;
9. The user's account is deleted / suspended.
10. The user is logged out by the administrator;
This problem does not exist in the session authentication method,
because in the session authentication method, the server can delete
the corresponding session record. However, using token
authentication is not easy to solve. We also said that once the token is
sent, if the backend does not add other logic, it will be valid until it
expires. So how do we solve this problem? Checked a lot of
information and summarized the following schemes:
 Store tokens in an in-memory database : Store tokens in a DB.
Redis in-memory databases are a good choice here. If you need to
invalidate a token, you can simply delete the token from
redis. However, this will lead to the step of querying the existence
of the token from the DB each time a request is sent using the
token, and it violates the principle of statelessness of the JWT.
 Blacklisting mechanism : a way similar to the above, the use of in-
memory database such as redis maintain a blacklist, if you want a
token fails, then the token will be directly added to
the blacklist can be. Then, every time a token is used to make a
request, it will first determine whether the token exists in the
blacklist.
 Modify Secret : We create a dedicated key for each user. If we
want to invalidate a token, we can directly modify the key of the
corresponding user. However, this introduces greater harm than
the introduction of the first two in-memory databases, such as:1⃣️If
the service is distributed, the keys must be synchronized across
multiple machines each time a new token is issued. To do this,
you need to store the secrets in a database or other external
service so that it is not much different from session
authentication.2⃣️If the user opens the system in two browsers at
the same time, or the system is also opened on the mobile phone,
if it logs out of the account from one place, it is necessary to log in
again elsewhere. This is not desirable.
 Keeping tokens short-lived and rotating frequently : a simple
way. However, the login status of the user will not be persistently
recorded, and the user needs to log in frequently.
It is relatively easy to solve the problem that the token is still valid
after the password is changed. One way I think is better: use the hash
value of the user's password to sign the token. Therefore, if the
password is changed, any previous tokens will automatically fail to
verify.
2.token renewal issue
Generally, the token validity period is not recommended to be set too
long, so how to authenticate after the token expires, and how to
dynamically refresh the token to avoid users often needing to log in
again?
Let's take a look at the general practice in session authentication: if
the session is valid for 30 minutes, if the user has access within 30
minutes, the session validity period is extended by 30 minutes.
5. Similar to the practice in Session authentication : this scheme is
satisfactory for most scenarios. Assume that the validity period of
the token given by the server is 30 minutes. Each time the server
checks, if it finds that the validity period of the token is about to
expire soon, the server will regenerate the token to the client. The
client checks the old and new tokens every time it requests, and if
they are not consistent, it updates the local token. The problem
with this approach is that the request will update the token only
when it is about to expire, which is not very friendly to the client.
6. Each request returns a new token : The idea of this scheme is
simple, but it is obvious that the overhead will be relatively large.
7. The validity period of the token is set to midnight : this scheme is a
compromise solution, which guarantees that most users can log in
normally during the day and is suitable for systems with low
security requirements.
8. User login returns two tokens : the first is acessToken, whose
expiration time is the expiration time of the token itself, such as
half an hour, and the other is refreshToken, which has a longer
 expiration time, such as 1 day. After the client logs in, the
accessToken and refreshToken are saved locally, and the
accessToken is passed to the server for each access. The server
checks the validity of the accessToken. If it expires, it passes the
refreshToken to the server. If it is valid, the server generates a
new accessToken to the client. Otherwise, the client can log in
again. The shortcomings of this program are:1⃣️Need client to
cooperate;2⃣️When the user logs out, it is necessary to ensure that
both tokens are invalid;3⃣️During the process of re-requesting the
token, the token may be temporarily unavailable (you can set a
timer on the client and when the accessToken is about to expire,
go ahead and obtain a new accessToken through refreshToken).
OAuth is an industry standard authorization protocol that is mainly used to
authorize third-party applications to obtain limited permissions. OAuth 2.0 is
a complete redesign of OAuth 1.0. OAuth 2.0 is faster and easier to
implement. OAuth 1.0 has been abandoned. For more information,
see: rfc6749 .
In fact, it is an authorization mechanism. Its ultimate purpose is to issue a
time-effective token token for third-party applications, so that third-party
applications can obtain related resources through the token.
OAuth 2.0 is more commonly used for third-party logins. When your website
is accessed by third-party logins, it is generally the OAuth 2.0 protocol used.
Advantages of token authentication
Stateless
The token itself contains all the information required for authentication,
so that our server does not need to store Session information, which
obviously increases the availability and scalability of the system and
greatly reduces the pressure on the server. However, due to the
statelessness of the token, it also causes its biggest disadvantage: when
the backend discards a token or changes its permissions during the
validity period of the token, it will not take effect immediately.
Generally, it is necessary to wait until the validity period expires. In
addition, when the user logs out, the token is also valid. Unless, we add
extra processing logic to the backend.
Token authentication common problems and solutions
1. Tokens are still valid in scenarios such as logout
Specific similar scenarios are:
11. sign out;
12. change Password;
13. The server has modified the permissions or roles of a user;
14. The user's account is deleted / suspended.
15. The user is logged out by the administrator;
This problem does not exist in the session authentication method,
because in the session authentication method, the server can delete
the corresponding session record. However, using token
authentication is not easy to solve. We also said that once the token is
sent, if the backend does not add other logic, it will be valid until it
expires. So how do we solve this problem? Checked a lot of
information and summarized the following schemes:
 Store tokens in an in-memory database : Store tokens in a DB.
Redis in-memory databases are a good choice here. If you need to
invalidate a token, you can simply delete the token from
redis. However, this will lead to the step of querying the existence
of the token from the DB each time a request is sent using the
token, and it violates the principle of statelessness of the JWT.
 Blacklisting mechanism : a way similar to the above, the use of in-
memory database such as redis maintain a blacklist, if you want a
token fails, then the token will be directly added to
the blacklist can be. Then, every time a token is used to make a
request, it will first determine whether the token exists in the
blacklist.
 Modify Secret : We create a dedicated key for each user. If we
want to invalidate a token, we can directly modify the key of the
corresponding user. However, this introduces greater harm than
the introduction of the first two in-memory databases, such as:1⃣️If
the service is distributed, the keys must be synchronized across
multiple machines each time a new token is issued. To do this,
you need to store the secrets in a database or other external
service so that it is not much different from session
authentication.2⃣️If the user opens the system in two browsers at
the same time, or the system is also opened on the mobile phone,
if it logs out of the account from one place, it is necessary to log in
again elsewhere. This is not desirable.
 Keeping tokens short-lived and rotating frequently : a simple
way. However, the login status of the user will not be persistently
recorded, and the user needs to log in frequently.
It is relatively easy to solve the problem that the token is still valid
after the password is changed. One way I think is better: use the hash
value of the user's password to sign the token. Therefore, if the
password is changed, any previous tokens will automatically fail to
verify.
2.token renewal issue
Generally, the token validity period is not recommended to be set too
long, so how to authenticate after the token expires, and how to
dynamically refresh the token to avoid users often needing to log in
again?
Let's take a look at the general practice in session authentication: if
the session is valid for 30 minutes, if the user has access within 30
minutes, the session validity period is extended by 30 minutes.
9. Similar to the practice in Session authentication : this scheme is
satisfactory for most scenarios. Assume that the validity period of
the token given by the server is 30 minutes. Each time the server
checks, if it finds that the validity period of the token is about to
expire soon, the server will regenerate the token to the client. The
client checks the old and new tokens every time it requests, and if
they are not consistent, it updates the local token. The problem
with this approach is that the request will update the token only
when it is about to expire, which is not very friendly to the client.
10. Each request returns a new token : The idea of this scheme is
simple, but it is obvious that the overhead will be relatively large.
11. The validity period of the token is set to midnight : this scheme is a
compromise solution, which guarantees that most users can log in
normally during the day and is suitable for systems with low
security requirements.
12. User login returns two tokens : the first is acessToken, whose
expiration time is the expiration time of the token itself, such as
half an hour, and the other is refreshToken, which has a longer
expiration time, such as 1 day. After the client logs in, the
accessToken and refreshToken are saved locally, and the
accessToken is passed to the server for each access. The server
checks the validity of the accessToken. If it expires, it passes the
refreshToken to the server. If it is valid, the server generates a
new accessToken to the client. Otherwise, the client can log in
again. The shortcomings of this program are:1⃣️Need client to
cooperate;2⃣️When the user logs out, it is necessary to ensure that
both tokens are invalid;3⃣️During the process of re-requesting the
token, the token may be temporarily unavailable (you can set a
timer on the client and when the accessToken is about to expire,
go ahead and obtain a new accessToken through refreshToken).