Hey guys,
So here tokens it is mentioned to Access tokens must never be used for authentication but here access_tokens vice versa and it is confusing.
Also if I try to decode access_token using the given algorithm, it throws an error:
jwt.get_unverified_header(token) → JWTError("Error decoding token headers.")
This is the flow I decided to go with, although it seems faulty.
- I get
id_tokenand validate it to it’s own respective audience - Upon successful validation I fetch user data from it and allow user to proceed to the backend api
However, this way I never need access/refresh tokens, thus if id_token (which is permanent) gets exposed user data is also exposed permanently.
Correct if I am wrong.
What should I do? Continue using id_token?
Why access_token fails to decode? How else to decode it?
Also please share some actual practices to follow but not this one token-best-practices I have read it in detail.
Thanks