0

Right now I'm using jwt as authentication and authorization. I have 2 clients which are a web and a mobile app. When the user logs in to the web app, he will get an access token for that web client, and when the same user logs in to the mobile app, he will get an access token for that mobile app.

Therefore if one of the clients is logged out by the user, the other client shouldn't log out, too. The way I know the user is logged in from different client is I save the refresh token in the database with the clientid, just want to know is this still correct practice. because I am confused about identityserver, OAuth 2.0

My expectation is my Web API can handle authorization for multiple clients

Improve this question
4
  • From the point of view of the API, there's no "being logged in" notion - each call is separate, standalone - and for each call, the API will check the bearer token sent along, to determine if that call can go through (or not). Being "logged in" is more of a frontend concern - the API really doesn't care - it just checks the bearer token (whether it's valid or expired etc.) and either allows (and processes) the call - or it refuses to do so Commented Dec 24, 2023 at 8:19
  • i get that, i just confused which kind of auth should i use. i have done my research on identityserver(which has convert to duende), openiddict, OAuth 2.0. some said i should not do my own authentication logic. and also i just saw someone do sql injection on jwt token. Really apreciate more insight on this. ps* im still new in doing web api Commented Dec 24, 2023 at 9:27
  • The current "Best Practice" probably really is OAuth2 - so you have an external identity provider (IdentityServer, Azure AD or whatever) to handle authentication, and they provide an access token (in the form of a JSON web token JWT) to authenticate your calls. Which product is used to provide this authentication mechanism and create the access tokens is less relevant - just stick with the OAuth 2 standard (and yes - definitely do NOT roll your own! ) Commented Dec 24, 2023 at 9:38
  • is it based on the flagged answered for this question, (stackoverflow.com/questions/73658327/…)? when i go to the blog mentioned, its almost same with my current jwt method which i follow this refference (codeproject.com/Articles/5325297/…) Commented Dec 24, 2023 at 9:53
Related questions
339
JWT refresh token flow
383
Where to store JWT in browser? How to protect against CSRF?
380
Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.