R
R
runprogr2021-03-19 20:28:32
JSON Web Token
runprogr, 2021-03-19 20:28:32

How do you usually work with jwt?

There is, for example, a chain that works with a token.
Frontend of some service -> Backend of some service -> Authorization service.

1 question)
How does the authorization service usually check the validity? access token is decrypted and the signature is checked, and refresh token is checked against the database?
With such a system, there is no way we can invalidate the token until the expiration date expires?

2 question)
Who in this chain usually decrypts jwt?
Is this jwt usually decrypted at the front? (for example, to pull out the token decay time, user data, rights / roles) Or is this a bad practice?
Is this jwt usually decrypted on the backend of some service (not an authorization service, another)? (for example, so that you can determine the validity of the token by decryption, and not make an additional request to the authorization service. And to get the user data from the token, again without making a request to the authorization service) Or is this a bad practice?

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question