Usually, JWT implementations in a REST Api backend save the user roles and/or permissions inside the JWT token claims. In this cases, clients make use of this claims to restrict user's interaction with some of the app features.
There are some user, or server, actions that update the user's authorization roles/permissions. However, the last emitted JWT token has not expired yet so it still has the old roles/permissions in it's claims.
How do you or your team handle this scenarios in order to update user's authorization in client side apps?
I've seen many options out there:
- Create a token version and update it in server side to compare with new request
- Keep token lifetime short
- Use refresh token mechanism and invalidate the user's current token
I want to hear you...