Do you store JWT tokens in db ?

Hi experts,

I am self-learning the JWT and OAuth since I didn't get to do it in my last temp job.

There is a java brain youtube video that teaches the JWT and then using Postman to see the bearer.

Although I have read countless in the internet but I feel that it is always not complete.

At the back of my mind, I just wonder if the JWT tokens with its expiry date are stored at all?

And also after the JWT token is verified, how is the User being transported to a 3rd party that is using OAuth2 ?

Furthermore, how does it take place in a AWS setting?

Hope someone can kindly advise me on the above.

Tks.

You probably didn't get a full story because there isn't a full story. OAuth is a standard with a very high abstraction level, it leaves a lot of implementation details to authentication providers. For instance, OAuth says nothing about JWT tokens. JWT token are just one of the many ways you can implement data exchange between hosts.

JWT tokens come in different flavours. Transparent JWT tokens contain information like the user ID that was authorized. When you're using these you don't have to store any tokens anywhere, in theory. Your server just validates the token, checks that it hasn't expired, and then does with the user ID from the token what it wants. The client could theoretically request a new token before every request and nothing would get stored. It's common for the client to save the token in a cookie or user session though.

Opaque tokens don't contain information that is accessible by the web service. The web service must present the token to the authentication provider that generated the token, which will then validate the token and return a user ID or other info back to the web service. In this case, the authentication provider must store data that's associated with the token. It may still store data in the token itself, but it will encrypt the token to make it unreadable to anyone but itself.

tangara goh wrote:And also after the JWT token is verified, how is the User being transported to a 3rd party that is using OAuth2 ?

If the web service validates a transparent token, the user info will be present in the token itself.

If the token is opaque, it must be traded for user information with the authentication provider.

Furthermore, how does it take place in a AWS setting?

What exactly do you want to achieve?

Stephan van Hulst wrote:JWT token are just one of the many ways you can implement data exchange between hosts.

JWT tokens come in different flavours. Transparent JWT tokens contain information like the user ID that was authorized. When you're using these you don't have to store any tokens anywhere, in theory. Your server just validates the token, checks that it hasn't expired, and then does with the user ID from the token what it wants. The client could theoretically request a new token before every request and nothing would get stored. It's common for the client to save the token in a cookie or user session though.

Opaque tokens don't contain information that is accessible by the web service. The web service must present the token to the authentication provider that generated the token, which will then validate the token and return a user ID or other info back to the web service. In this case, the authentication provider must store data that's associated with the token. It may still store data in the token itself, but it will encrypt the token to make it unreadable to anyone but itself.

tangara goh wrote:And also after the JWT token is verified, how is the User being transported to a 3rd party that is using OAuth2 ?

If the web service validates a transparent token, the user info will be present in the token itself.

If the token is opaque, it must be traded for user information with the authentication provider.

Furthermore, how does it take place in a AWS setting?

What exactly do you want to achieve?

Thanks Stephan.

Say if I use JWT and check against a User role before he/she has access to a resource endpoint.

Will it be ok if the token and secret being shown in the client's browser end ?

I am totally confused how the flow of things. After a User is verified by Spring Security JWT module correctly, how is OAuth2 come into the picture ?

The user will be re-directed to a OAuth2 server for another authentication ?

Hope you could advise me.  Many thanks again.