+1 This is what we plan in IS too - to make all the tokens JWT by default. This approach also helps in multi-regional setups.
The drawback is the revocation. But we can find a workaround for that. Thanks & Regards -Prabath On Mon, Jun 24, 2019 at 10:23 PM Nuwan Dias <[email protected]> wrote: > Hi, > > I've recently been thinking about $subject. Currently when we generate an > access token we persist it in the DB for various reasons. One of those > reasons is for validation of the issued token. But with self contained > signed access tokens we no longer need to look up the DB to validate the > access token. Not having to lookup a DB during validation is a very > powerful capability which opens avenues for heavily distributed > architectures, regional resiliencies and so on. What would be the downsides > of not persisting self-contained access tokens? And what mechanisms can we > come up with to remediate those? > > Thanks, > NuwanD. > > -- > *Nuwan Dias* | Director | WSO2 Inc. > (m) +94 777 775 729 | (e) [email protected] > [image: Signature.jpg] > -- Thanks & Regards, Prabath https://github.com/prabath/me
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
