DEV Community

loading...

Discussion on: Using JWTs for Authentication in RESTful Applications

Collapse
perrydbucs profile image
Perry Donham Author

Excellent point, Alex! I'll update my lecture and code on this as it clearly would be a potential leak. What do you think about using a constantly changing identifier on the session as I mentioned in the reply above?

Collapse
orkon profile image
Alex Rudenko

I think that would work for the session/client-auth use case. I mostly use JWTs in a distributed system where a token is an authorization to access a specific service (also backend-to-backend). For this use case, I always need the user ID in the token. Constantly changing identifier would be problematic to use because the service does not have access to the session or user data usually.