I'm quite curious on the server-token validation process.
The JWT doesn't store username and password information (encrypted) and reauthenticates right?
Does the server contain a database that holds valid token signatures or is there a database-stored token field within the payload that the server uses to verify with?
The power of JWTs is that you can forego the use of any type of key store. Typically you'd store things like the username, user email, user phone number, etc in your JWTs payload. Or as they mentioned in the article, you can also store more metadata like the expiration time of the token, issuer of the token, subject of the token, and a bunch more.
You should have a special private token on your server which will be used to sign a JWT (and send it to the user) on events like a user log in. That same key would be used on subsequent requests from the user, where the JWT would be sent alongside the users request to the server. The server will now verify the JWT using the same special private token. If the token is valid, they can be authorized to access certain resources. bingo.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I'm quite curious on the server-token validation process.
The JWT doesn't store username and password information (encrypted) and reauthenticates right?
Does the server contain a database that holds valid token signatures or is there a database-stored token field within the payload that the server uses to verify with?
The power of JWTs is that you can forego the use of any type of key store. Typically you'd store things like the username, user email, user phone number, etc in your JWTs payload. Or as they mentioned in the article, you can also store more metadata like the expiration time of the token, issuer of the token, subject of the token, and a bunch more.
You should have a special private token on your server which will be used to sign a JWT (and send it to the user) on events like a user log in. That same key would be used on subsequent requests from the user, where the JWT would be sent alongside the users request to the server. The server will now verify the JWT using the same special private token. If the token is valid, they can be authorized to access certain resources. bingo.