macielti
commented
2 years ago Having the JWToken sessions life cycle control done by a separated service will give to us more capability for scaling if we think that this operation could be costly based on the number of active users hitting the services at the same time.
Another good point of having it done by a separated service will make it easier to use that from not just one but by every service that needs their users to be authenticated in other to hit their endpoints.
What about if we want to drop some roles from a user instantly? The user will remain in possession of the roles while the current JWToken is valid and not expired.
If we want the roles update operation to affect users instantly we should think in a way of having a service responsible for validating JWToken sessions, so the user-identity interceptor of every service should verify the JWToken using this service before letting it go.
This can have its cons and pros. One pro is that we will be able to expire JWToken sessions actively instead of having to wait for the expiration time passively. One con is that we would have to make an HTTP call to the JWToken session verification for every time that we need to use the info stored in JWTokens.
I think that one HTTP call is a fair price to pay for the guarantee and access-control benefits that it will enable us to have.