Gotcha! That all makes sense and I understand the approach but really this is my sorta quandary when it comes to JWTs, like you said:
I do not know if this is the best answer and I am not sure how I feel about giving access for a short period of time even if I have revoked the refresh_token but I have read about people using this approach. So, in the end, you are making DB calls but they are not on every request, you make DB calls only when the acess_token expires.
I feel like it ends up being essentially a glorified session token simply because the access period is so low you might as well just check it on every request. (The idea of having it available for a short period after revocation - no matter how long - really doesn’t sit well.)
I feel like there’s a use case for JWT but it certainly isn’t a be-all-end-all to simply replace the session token in all cases.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Gotcha! That all makes sense and I understand the approach but really this is my sorta quandary when it comes to JWTs, like you said:
I feel like it ends up being essentially a glorified session token simply because the access period is so low you might as well just check it on every request. (The idea of having it available for a short period after revocation - no matter how long - really doesn’t sit well.)
I feel like there’s a use case for JWT but it certainly isn’t a be-all-end-all to simply replace the session token in all cases.