How a system with JWT authentication refresh_token do horizontal scale out

Question

I'm trying to make my web-app's authentication with JWT.

I chose that because JWT is good for scaling-out (horizontal) the system since we wont need to store anything (such as session data) in server.

I also want to make my login form with "Keep me login" option. Then I found the magic refresh_token solution .

It's a good solution.

However, I concern how it can accomplish the scale-out purpose? Because, AFAIK, we have to store data about refresh_token in database or something like that.

Ps: I'm new to distribution system if the explanation above is wrong plz help correct me. Thanks

Answer 1

The refresh token is being held by the client, no server-side storage should be needed (unless you are thinking about some "strange" usage scenario). So no horizontal scaling issues. On the server, you only keep client_id and secret (which is env var or similar, so not an obstacle for horizontal scalability).

There's a similar discussion: How to securely keep my users signed in with refresh tokens?

Edit due discussion in comments . The server validates access token always (if it's not expired, if a signature is valid, if the whitelisted issuer, if contains the required scope, etc.). A refresh token is used to request a new access token when the old one is expired, that's its only purpose.

And yes server needs some data for validation, but it's provided by the OAuth2 service provider through a .well-known endpoint or similar. So the server needs to be able to communicate with a service provider to be able to fetch the info required for validation.

Those .well-known endpoints are usually public, for example:

• https://www.facebook.com/.well-known/openid-configuration/
• https://accounts.google.com/.well-known/openid-configuration