1

JWT promises to be faster / simpler by including permissions in the Token itself. However my question is this: say a user is logged in, and is using a JWT that contains permission info allowing them access to A and B.
Then an admin or other user comes along and grants that user permission to view C while the user is still logged in. But because the user is still using the old JWT, he's still not going to be able to access C.

What are the options here? Blacklist the token and force the user to log in again? Or forget about token-based permissions altogether?

CorlinP
  • 169
  • 1
  • 2
  • 15

2 Answers2

6

JWT tokens are stored in localStorage or cookies on frontend side so this the issue when your application will face with changing permissions.

Use refresh token mechanism with unique SECRET per user which is stored in the database so by changing this SECRET will force that particular user to re-login and get a new token with updated permissions.

Abhishek Singh
  • 1,631
  • 1
  • 17
  • 31
2

Personally, I would rely on JWT for authentication (who the caller is) only.

For authorization (what the caller can do), look up the caller roles/permissions from your persistent storage to get the most updated information.

cassiomolin
  • 124,154
  • 35
  • 280
  • 359