N
N
Ninazu2018-07-20 13:23:48
OAuth
Ninazu, 2018-07-20 13:23:48

JWT and OAuth for multiple devices?

I can roughly imagine how JWT and OAuth work separately. But how to combine them and at the same time leave the ability to work with multiple devices? I see it like this
1. The client generates an ID for the device. **DeviceId**
2. Sends **DeviceId**, **Login**, **Password** to server
3. Server generates **AccessToken**, **RefreshToken** and saves in conjunction with **DeviceId ** to distinguish between sessions on different devices.
Here are the questions:
1. What are random hash tokens in this case, or is it a JWT with some kind of paylaod inside.
2. Do I need to save **AccessToken** to the database? Or it stores a JWT with an authorized user, and only **RefreshToken** is stored
3. What about a token compromise on one of the devices? When using **RefreshToken**, the attacker will log out the user only on this device, or will there be only one **RefreshToken** for the user, and after the **AccessToken** on one of the devices expires and a new pair is generated, all devices will be logged out?
How is this generally done in the mind, who has experience in implementing it?

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question