I have implemented JWT Token in Oauth2 Framework.I have few queries that came to my mind after the implementation which is listed as give below:
1 . Before JWT implementation, whenever user access an API in the resource server with the corresponding access token as bearer, the resource server checks with the auth server using user-info-uri endpoint like as shown below
security:
oauth2:
resource:
user-info-uri: https://localhost:8080/auth/user
After JWT implementation what I believes is that there is no checking call happens between resource server and auth server, rather it will validates the signature of JWT token with the public key. But to check this after getting the JWT token I stopped the auth server and tries to see if resource server validates the jwt token and gives the response, but this failed. Does the resource server establish any connection with Auth Server?
2 . Previously before JWT implementation, all the tokens are persistent in database, so one gets a token after he successfully authorizes and since the token is persistent in DB, token will be the same even if he call the same token API again until the expiry. After JWT implementation, it looks like JWT recommended not to make the generated token to persist into DB, means every time the user invoke the token endpoint he gets different JOT token. Do we need to persist the JWT token in Database?
3 . Anyone can see all the user details including the user roles from the JWT token in http://jwt.io/, Does this creates any issues?
In addition to the above queries, Can anyone pleasse tell me what are the other pros and cons using JWT token in Oauth2
