← Back to context

Comment by catlifeonmars

3 days ago

Having a short session expiry is a workaround for not being able to revoke a token in real time. This is really the fault of stateless auth protocols (like OAuth) which do offline authentication by design. This allows authentication to scale in federated identity contexts.

3 comments

catlifeonmars

Reply

apitman 2 days ago

OAuth2 is not inherently stateless.

catlifeonmars 2 days ago
Good call. I said OAuth but what I meant was OIDC and specifically JWT. OAuth (not OIDC) implementations MAY use opaque access tokens that require server side state to validate.
- apitman 2 days ago
  
  Ah makes sense