|
|
|
|
|
|
by alex_smart
30 days ago
|
|
|
Who uses JWT like this anyway? Typical production architecture would look like
- frontend only ever sees an opaque session cookie
- bff stores the access token against session and attaches it when calling backend services Yes, storing JWTs directly in the frontend client is a bad idea but surely there is a better way of communicating that than "JWT is a scam and your app doesn't need it". > RS256 verification is in the same order of magnitude as a Redis lookup But the point is that the verification is CPU bound and local to the service - which means that it is horizontally scalable. |
|
|
It’s a lot of work to get it right in SSR environments, since both the bff and the frontend need to be able to refresh the access token (preferably transparently during an in-flight request). Even then, access tokens really should expire within a minute or two, not hours or days.