Menu
I'm not sure I fully understand the concepts of how a proper JWT Authentication must work. I have found an article about JWT Authentication where author talks that:
..the token is self-contained, so the client just need to resend to the server for each request, and the server just have to check the signature to ensure its validity. No more useless call to database or LDAP.
I'm a little bit concerned about phrase- No more useless call to database or LDAP
But how to check for example that the User is still exists in the system or User has not been banned and this token has been early expired ?
Looks like I definitely need to make a call to database or LDAP in order to get this information and to compare it with info inside of JWT token. isn't it ?
646
To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.
To verify JWT claimsVerify that the token is not expired. The aud claim in an ID token and the client_id claim in an access token should match the app client ID that was created in the Amazon Cognito user pool. The issuer ( iss ) claim should match your user pool.
With JWT authorization, you get a user-based authentication. Once the user is authenticated, the user gets a secure token that they can use on all systems. The management of the user (and therefore the token) is centralized. You set up access rights and you give each user different rights for each system.
Figure 1 shows that a JWT consists of three parts: a header, payload, and signature.
You are correct that if you MUST check this on every call, you will need to query the database or call the authorization server.
But the point is that JWT tokens should have a short enough lifetime that you should not have worry about this.
If the token expires every hour, and the user is deleted or banned, he/she will only have access to the APIs for at most another hour (or whatever the token lifetime is). Then the client needs to renew the token and figures out that the user is no longer valid.
Not having the query the database or call a service for each token validation will make your service scale much better. It also removes a single point of failure (auth DB or service down).
109
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
