yes!!! in fact, thats a really used approach. the issue: you have the same revoking issue, long lived refresh tokens can't be revoked. solution: keeping a balcklist of jwt in a DB until they expire... but then it is not stateless
being really precise, true, i did not do a formal proof on that.. anyway, for the moment it is not known how to revoke such tokens without state, should it be possible... so to practical effects, its the same
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
yes!!! in fact, thats a really used approach. the issue: you have the same revoking issue, long lived refresh tokens can't be revoked. solution: keeping a balcklist of jwt in a DB until they expire... but then it is not stateless
"Long lived refresh tokens can't be revoked" <- this is false, or, at least it is not proved.
Raising a sample solution can be used to prove the possibility. But to prove the imposibility, we have to prove that ALL solutions do not work.
being really precise, true, i did not do a formal proof on that.. anyway, for the moment it is not known how to revoke such tokens without state, should it be possible... so to practical effects, its the same