I’m fairly new to JWTs. I’m trying to understand what happens on the client vs. what happens on the server.
The function client.isAuthenticated() is part of the front end SDK. So my quesiton is, how can the front end possibly determine if the user is authenticated - surely that’s something that should be trusted only to the back end, via something like jose’s jwtVerify().
Is it simply that the front end can determine (only) that the passed code is “valid” i.e. not expired, but cannot actually determine whether it represents an authenticated user (which is a back end job), or am I way off?
isAuthenticated checks if a user has been authenticated, not authorized - It does so by checking for a user and thus an ID token. ID tokens are returned upon successful authentication. This is common practice on the frontend, whereas validating an access token (authorization) should definitely be handled by the backend.