Quick question about the json web token.
When my token is expired, I get a refresh token based on my current token (without validating the current user).
So what would happen when I changed the permissions from a user, and he isn't allowed to get data from the web api anymore? Should I store the jwt in the DB so I can validate his permissions or what?
And I have read that a token is splitted up in 3 parts with some user information in it. How can a refresh token be different if it sould carry the same information?
I really hope somebody can help me out with this one.
Grtz, Robin
Aucun commentaire:
Enregistrer un commentaire