Check Access Token every Request with Redis
I'm currently implementing an OAuth 2.0 Architecture for my RESTful API.
With each request I set up an Authorization Bearer Token in the HTTP Header for all my clients to make Authorized Requests.
Authorization: Bearer sdflksd3r4823vkn95-03850432
I understand that it's common practice to just accept the token in the API until the expiration date. But say if a user wanted to revoke the token, I would need to employ a method of checking the status of the token with each request.
So I was thinking of going to the Db to check for every HTTP request. I have a feeling that this won't scale nicely due to performance reasons.
So I was wondering if a solution like Redis would be appropriate for very fast single reads of the access token status?
Answer
The point of having an HMAC for a token is so that the server can verify it quickly without calling out to any external data store (eg Redis, MySQL, etc). This has the added benefit of scaling out nicely to multiple server since there is no shared state (all info to verify the token is the token itself and the key for the HMAC).
If you're going to have a blacklist of revoked tokens then something like Redis would probably be fine (though still slower than not doing a remote call for each token verification). Setup properly, with low latency between your Redis instance and your API server(s), you'll should see <10ms per request.
Bonus: Another option to speed things up even further would be to use a Bloom filter to handle caching of rejected API requests. That way you only go to Redis if the Bloom filter flags the request token as possibly revoked. Note that since this is another layer of caching you'll have to update the state of the Bloom filter when a token is rejected.