Open in app

Sign in

Write

Sign in

If blacklist needs to be implemented, I guess database/cache lookup or APIs call is required to see…
1
1

Eric Huang

Super Tokens
2 min readJun 13, 2019

--

This is actually quite a subjective topic.

Blacklisting may still be more efficient in some cases:

  • If you use Opaque access tokens, then depending on how you store them and its data, you may need to acquire certain locks while reading/writing to them. So on each API call, there is a chance where your authentication read to the db, might have to be synchronised with other reads/writes. In the case of storing blacklisted JWTs, you would never use it for anything else apart from just checking if a JWT has been revoked — which would never require any sort of locks or synchronisation in any db. So reads to this would be more efficient from a theory point of view.
  • You could use some sort of probabilistic checking method, where you have a bloom filter like data structure that you query first to check for blacklisting — this would mostly be quite efficient to read from, and if this returns that it is not blacklisted, then you can continue, but if it returns that the token is blacklisted, then you may have to actually query the db to confirm that (that’s one of the properties of a bloom filter). And since most JWTs will not be blacklisted, this could be a good solution. However, the actual efficiency totally depends on your setup.
  • In Opaque access token method, you have to store each and every token in the db. Whereas in JWT with blacklisting, you need to store just a few tokens in db (in fact, most JWTs will not be stored since most are not blacklisted). So in terms of space complexity, JWT with blacklisting wins.

So given the arguments above, using JWT with blacklisting is still a better option since it saves you space.

The problems with JWT is that it relies on one shared key for all users — which can be a security bottleneck (you can keep changing it.. but still). The other problem compared to Opaque access token is that higher bandwidth is consumed, since JWTs are generally way longer than Opaque access tokens. If these are a concern to you, then stick with Opaque access tokens, else go with JWT.

I hope this answer helps you. Feel free to join our Discord server for more discussions: https://discord.gg/zVcVeev

Authentication
Jwt
Sessions
Security Token

--

--

Super Tokens
Super Tokens

Written by Super Tokens

120 Followers
10 Following

https://supertokens.com

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams