Hi I need a bit of advice. I’m the maintainer of a new Open Source project: ApiOpenStudio, and I’m upgrading the codebase ATM to use JWT tokens instead of the custom token stored in the DB (I know, even though it’s a short-lived token, that is not secure!).
So far, I have implemented generation and validation of the tokens in the API itself. But I also want to take into account enterprise scale users who utilise a separate or 3rd party authentication service. Ideally, I want to not have to make any DB calls to validate the user against role permissions, so implicit grant would be ideal here. I’m still researching into how this works and whether it requires custom claim values.
My main question is how easy is it to integrate user data like UID or roles into claims in a JWT token? Will I be making it difficult for users to integrate their base users data into 3rd party systems like here? How have people solved similar issues? Like integrating Auth0 with a remote custom DB?
JWT tokens, being signed and verifiable, will allow you to validate without a call to your DB.
Implicit flow is simply a way to transact with a public client that can’t store a secret. We would recommend using the auth code + PKCE flow for browser-based public clients like SPAs instead of implicit (it’s the more modern flow).
I’ll go through those links you’ve passed on. Those should give me enough info to make a plan on how to refactor ApiOpenStudio for security, speed and different user’s requirements