got it. so i only need to access the DB (or access an endpoint that verify the existence of the user) at the login. from that moment, the JWT token is self sufficient and I no longer need any DB (for authentication/authorization purposes).
Thanks! On Wednesday, August 5, 2015 at 2:17:51 PM UTC-7, Alexander Behrens wrote: > > You have your user accounts in a db. When a users logs in, you verify his > account. You store every information you might need in the future in the > claim of the JWT. You create the JWT and send it back to the user. With > this JWT the user can now log in from anywhere, anytime until the JWT > expires. You verify the user by decoding the JWT. The whole point of having > JWT is to not store them in a db. > > On Wed, Aug 5, 2015 at 7:40 AM, josh <[email protected] <javascript:>> > wrote: > >> Thank you Alexander! >> >> so maybe I don't even need to store anything in a DB? >> >> On Tuesday, August 4, 2015 at 6:13:51 AM UTC-7, Alexander Behrens wrote: >>> >>> > JWT token is created with user id, stored in a DB and JWT is returned >>> to the app. >>> >>> Do you mean that user id stored in a DB or do you store the JWT in a DB? >>> If you are storing the JWT, there is no point of using JWT :) >>> >>> > The app will store the JWT in the localStorage >>> >>> I always thought this was a good approach. But that way you will never >>> get the JWT when the user initially loads the web app. You always have to >>> render some boilerplate HTML and then let the client-side Javascript do the >>> authentication call for you. >>> >>> On Tue, Aug 4, 2015 at 4:01 AM, josh <[email protected]> wrote: >>> >>>> We use OneLogIn for SSO and also SalesForce. We would like to have a >>>> single auth service that will take care of authentication and >>>> authorization >>>> to all our apps. >>>> Is this diagram looks like a good approach? >>>> http://i.imgur.com/Ji1I1P4.png - >>>> >>>> Here is the suggested flow: >>>> email/password form -> auth service -> onelogin reply yes or no -> >>>> salesforce reply with user id. JWT token is created with user id, stored >>>> in >>>> a DB and JWT is returned to the app. The app will store the JWT in the >>>> localStorage (or in case of cordova is some other storage) and sends it in >>>> the HTTP header to every other serivce. >>>> >>>> BTW, I read conflicting article about localStorage as a place to store >>>> JWT: >>>> >>>> https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/ >>>> >>>> http://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf >>>> >>>> Opinions, links and suggestions are all welcome! >>>> >>>> -- >>>> Job board: http://jobs.nodejs.org/ >>>> New group rules: >>>> https://gist.github.com/othiym23/9886289#file-moderation-policy-md >>>> Old group rules: >>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "nodejs" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/nodejs/7568b93c-9635-4615-b0c0-a541cb51b2dd%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/nodejs/7568b93c-9635-4615-b0c0-a541cb51b2dd%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> Job board: http://jobs.nodejs.org/ >> New group rules: >> https://gist.github.com/othiym23/9886289#file-moderation-policy-md >> Old group rules: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/nodejs/d552ecee-570f-4c36-8f83-bad78f1edbbc%40googlegroups.com >> >> <https://groups.google.com/d/msgid/nodejs/d552ecee-570f-4c36-8f83-bad78f1edbbc%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/84d2d6d5-4572-4da0-9125-eb67e5e05f9c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
