Answer the question
In order to leave comments, you need to log in
What is the best way to authorize users through JWT?
I think so: the user sends his data - passes the verification on the authorization service - an access_token is generated - it is written to the database in which the "sessions" are stored - the access_token is sent to the user.
But here's the thing, the user wants to get access to a protected resource, passes the jwt cryptographic check, the role, the validity period of the token, and you also need to contact the database with sessions to find out if this session is there, if it is active. I think this approach will make it possible to make good protection against stolen cookies. But constantly accessing the database from the middleware is somehow too expensive.
Is there any normal way to make it possible to reset all active sessions to an account and check for session activity?
Answer the question
In order to leave comments, you need to log in
You are confusing JWT and session. The whole point of JWT is that you do not need to write anything to the database. If you need to track user sessions and drop them, then JWT is not for you.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question