Page tree
Skip to end of metadata
Go to start of metadata
  • stateless vs stateful replication of access and refresh tokens
  • implemented as JWTs since 13.5
  • stateful
    • call down to persistent store to check validity and against blacklist
    • token is basic reference - opaque string
  • stateless - checked against bloom filter, then cache, then cts
  • bloom filter able to answer definitively no or maybe
    • uncertainty leads to checking cache, then cts
    • JWT is richly populated
    • only one bloom filter list, replicated everywhere quickly
  • if you have a huge number of long lived refresh tokens, the blacklist becomes huge. Although bloom filter can store 100million entries in 2gb ram, maybe stateless isn't the best configuration for this use case.
  • in a distributed deployment, there is still only one bloom filter, but it is replicated 
  • No labels