Don't decode access token on the client

robisim74 / AngularSPAWebAPI

Angular Single Page Application with an ASP.NET Core Web API that uses token authentication

MIT License

231 stars 59 forks source link

Closed robisim74 closed 7 years ago

robisim74 commented 7 years ago

Remove the decoding of the access token from the client to ensure that the token has not been altered:

Use UserInfo Endpoint to retrieve identity information about the user
Use _expiresin field to calculate expires of the access token and to implement a scheduler for the refresh token

robisim74 commented 7 years ago

done