Open phish108 opened 2 years ago
Instead of having locally stored session id to validate against, we should issue JWT with the session information.
This would allow to store information about the user, scope and the authorised site.
This token should be a JWS+JWE, so it is signed by us and encrypted for us.
Instead of having locally stored session id to validate against, we should issue JWT with the session information.
This would allow to store information about the user, scope and the authorised site.
This token should be a JWS+JWE, so it is signed by us and encrypted for us.