You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi :)
First of all, thank you very much for your hard work on this library! It's amazing 😊
I'm considering not exposing the JWT access tokens directly to the clients, and instead, implementing an API gateway that will convert the refresh tokens to JWTs on every request. The JWTs will be passed then to the internal microservices to ensure in-bounds security.
To do this, the client only needs access to the refresh tokens, as the regular JWTs (that will have an extremely short lifespan) are only used to authenticate and authorize the user internally. I plan to include all the permissions and scope information inside those JWTs, while the refresh token will only have a user payload.
I have 2 questions:
Will this architecture work? Is it secure?
Can I covert those refresh tokens into opaque encrypted tokens, to expose less information to the client?
Thank you very much! 😄
The text was updated successfully, but these errors were encountered:
Hi :)
First of all, thank you very much for your hard work on this library! It's amazing 😊
I'm considering not exposing the JWT access tokens directly to the clients, and instead, implementing an API gateway that will convert the refresh tokens to JWTs on every request. The JWTs will be passed then to the internal microservices to ensure in-bounds security.
To do this, the client only needs access to the refresh tokens, as the regular JWTs (that will have an extremely short lifespan) are only used to authenticate and authorize the user internally. I plan to include all the permissions and scope information inside those JWTs, while the refresh token will only have a
userpayload.I have 2 questions:
Thank you very much! 😄
The text was updated successfully, but these errors were encountered: