Hi :)
First of all, thank you very much for your hard work on this library! It's amazing :blush:
I'm considering not exposing the JWT access tokens directly to the clients, and instead, implementing an API gateway that will convert the refresh tokens to JWTs on every request. The JWTs will be passed then to the internal microservices to ensure in-bounds security.
To do this, the client only needs access to the refresh tokens, as the regular JWTs (that will have an extremely short lifespan) are only used to authenticate and authorize the user internally. I plan to include all the permissions and scope information inside those JWTs, while the refresh token will only have a user payload.
I have 2 questions:
Will this architecture work? Is it secure?
Can I covert those refresh tokens into opaque encrypted tokens, to expose less information to the client?
Hi :) First of all, thank you very much for your hard work on this library! It's amazing :blush:
I'm considering not exposing the JWT access tokens directly to the clients, and instead, implementing an API gateway that will convert the refresh tokens to JWTs on every request. The JWTs will be passed then to the internal microservices to ensure in-bounds security.
To do this, the client only needs access to the refresh tokens, as the regular JWTs (that will have an extremely short lifespan) are only used to authenticate and authorize the user internally. I plan to include all the permissions and scope information inside those JWTs, while the refresh token will only have a
user
payload.I have 2 questions:
Thank you very much! :smile: