So here tokens it is mentioned to
Access tokens must never be used for authentication but here access_tokens vice versa and it is confusing.
Also if I try to decode
access_token using the given algorithm, it throws an error:
JWTError("Error decoding token headers.")
This is the flow I decided to go with, although it seems faulty.
- I get
id_tokenand validate it to it’s own respective audience
- Upon successful validation I fetch user data from it and allow user to proceed to the backend api
However, this way I never need access/refresh tokens, thus if
id_token (which is permanent) gets exposed user data is also exposed permanently.
Correct if I am wrong.
What should I do? Continue using
access_token fails to decode? How else to decode it?
Also please share some actual practices to follow but not this one token-best-practices I have read it in detail.