On Tue, Jun 25, 2019 at 10:59 AM Prabath Siriwardena <[email protected]> wrote:
> +1 > > This is what we plan in IS too - to make all the tokens JWT by default. > This approach also helps in multi-regional setups. > > The drawback is the revocation. But we can find a workaround for that. > We have currently implemented a messaging based solution for that. The KM (IS) would be notifying a topic on a broker to which the Microgateways are all subscribed to. When a token is revoked the Microgateways would get to know about that through the broker. The Microgateway would also persist the revoked tokens locally (until expire) to deal with restarts of the Microgateways. > > Thanks & Regards > -Prabath > > On Mon, Jun 24, 2019 at 10:23 PM Nuwan Dias <[email protected]> wrote: > >> Hi, >> >> I've recently been thinking about $subject. Currently when we generate an >> access token we persist it in the DB for various reasons. One of those >> reasons is for validation of the issued token. But with self contained >> signed access tokens we no longer need to look up the DB to validate the >> access token. Not having to lookup a DB during validation is a very >> powerful capability which opens avenues for heavily distributed >> architectures, regional resiliencies and so on. What would be the downsides >> of not persisting self-contained access tokens? And what mechanisms can we >> come up with to remediate those? >> >> Thanks, >> NuwanD. >> >> -- >> *Nuwan Dias* | Director | WSO2 Inc. >> (m) +94 777 775 729 | (e) [email protected] >> [image: Signature.jpg] >> > > > -- > Thanks & Regards, > Prabath > https://github.com/prabath/me > > > > -- *Nuwan Dias* | Director | WSO2 Inc. (m) +94 777 775 729 | (e) [email protected] [image: Signature.jpg]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
