OAuth2/OIDC session strategy
#12563
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
-
Goals
Follow best practices established by OAuth2/OIDC for establishing a balance between security and performance/convenience via the use of short lived client side access_token JWTs and long lived refresh_token client side values + server side hashes.
Non-Goals
Having Auth.js allow you to be a full fledged OAuth2/OIDC IdP out of the box is likely too ambitious.
Background
The two current session strategies, "jwt" and "database", both have weaknesses that the OAuth2/OIDC designers established a flexible compromise between. These downsides are largely documented by Auth.js itself in the session-strategy page, but I can summarize a few key tradeoffs. JWTs cannot be revoked so they generally need a shorter expiration, but database sessions/refresh_tokens require a database hit every time increasing load on the authentication database, having a short lived access_token JWT for performance at the cost of them not being possible to revoke prior to their expiration is a compromise that many find desirable.
Proposal
Implement a session strategy that uses both short lived access_token JWTs and also long lived refresh_token's that get hashed and stored in a session table that can be revoked from at will.
Beta Was this translation helpful? Give feedback.
All reactions