As written in jwt.io "The payload contains any arbitrary information in the form of claims that we as developers find useful for our applications.". So i think it would be convenient to put there username, email, and so on. In this case i have no need to get this information from database or file system during authentication process. It is being touted as an advantage if app is distributed across many servers.
But I see here is one annoying obstacle. What if a payload was changed as a result of changing user account information? All old issued tokens stays valid since a signature is still valid. So i'll get wrong user account information from old token payload.
I missed something in idea behind jwt tokens?
Aucun commentaire:
Enregistrer un commentaire