0

I have an api server that relies on an auth server (both owned by the same company). Once the client gets a grant from the auth server, it is no longer needed, because the only information I need from the auth server is the user profile. Should I in this case cache the user profile on the api server, along with the access token? I want to do this so that I don't have to keep calling the auth server every non-auth related request.

  • The api has no authentication on its own, it trusts the auth server and vice versa.

Is this a good pattern? Or instead should I issue an access token from the api server, after the authentication with the auth server was validated?

enter image description here

Improve this question
5
  • 1
    If token is revoked how does your cache deal it? Commented Feb 24, 2020 at 14:29
  • 1
    Add the user data to the token and you can do away with the call alltogether Commented Feb 24, 2020 at 14:31
  • I don't know how I would handle revoke and expiry, but I guess that's relatively trivial to handle once i'm confident with token caching Commented Feb 24, 2020 at 14:55
  • JSON Web Tokens (jwt.io) have a specific field for designating the expiration time frame and the creation dates. Most libraries that support JWT have built in validation to ensure the token is valid (correctly signed and not expired). You just need to ensure the remainder of your data is provided in the token. Commented Feb 24, 2020 at 15:21
  • NOTE: you have a period before the token expires where a user may be accessing your site with invalid credentials. Don't make the expiration time super long. Commented Feb 24, 2020 at 15:22

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.