Comment by catlifeonmars

Comment by catlifeonmars 4 days ago

Having a short session expiry is a workaround for not being able to revoke a token in real time. This is really the fault of stateless auth protocols (like OAuth) which do offline authentication by design. This allows authentication to scale in federated identity contexts.

apitman 4 days ago

OAuth2 is not inherently stateless.

Reply View 2 replies

catlifeonmars 4 days ago

Good call. I said OAuth but what I meant was OIDC and specifically JWT. OAuth (not OIDC) implementations MAY use opaque access tokens that require server side state to validate.

Reply View | 1 reply
- apitman 4 days ago
  
  Ah makes sense
  
  Reply View | 0 replies