Offline Access and Authentication
4 hours ago
- #jwt
- #offline-access
- #authentication
- Offline authentication is possible with asymmetric JWT verification and an offline grace period.
- FusionAuth signs JWTs with a private key; the public key is available via JWKS endpoint for local verification.
- Initial login requires online access to obtain access and refresh tokens.
- JWKS should be cached on the device or bundled with the app for offline use.
- Access tokens are validated locally by checking signature, expiration, and claims.
- A grace period (e.g., 24 hours past expiration) can allow limited offline functionality.
- Token lifetimes (access and refresh) are configurable per tenant or application.
- Refresh tokens can be revoked on events like password changes, but revocation only takes effect on next refresh.
- Trade-offs include delayed revocation, reliance on device clock, stale claims, and MFA degradation offline.
- Practical setup includes short access token TTLs, long refresh tokens, and periodic online check-ins.