0

Here is what I am planning to to for keeping separate tokens for web and mobile

1.When user is logged in from web JWT token is issued and it is stored in DB table with created time stamp. The above step is repeated for the mobile client ,so the table contains separate tokens for each client.

2.At the time of validation search for the token in table and validate if exists then it will try to verify with JWT.verify

Is it right method to do keeping separate logins using JWT??

Improve this question

1 Answer 1

Reset to default
1

Maybe there are other ways to do it, but your approach is totally correct. By fact I would recommend it exactly your way. What you doing, is scoping issued token for specific service, platform. It is useful not only for your use case, but also when you have multiple APIs. You can issue different tokens for each service separately.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

But storing the tokens in dB is against the JWT philosophy ??
JWTs are not perfect. Main drawback is expiration mechanism. Through JWT supports exp claim, it can't be really used in web apps, because you can't easily update it. To do it, you will need to reissue new token for each client request. Otherwise if client gets token at 2pm with exp for 1hour. And client actually worked whole hour, token still will expire at 3pm anyway. It is ok to reissue expired token, but combining with your approach you can also keep expiration in db alongside scope. And update on each request. Same as classical sessions, just more "modern".

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.