Additional Feature Ideas from reddit. #2
Description
Here is the post.
-
Asymmetric signing for the JWTs. Only your auth server would have the key for token generation, but any app with the public key can verify the token.
-
Revoking JWTs. It looks like right now, if a bad actor were to get ahold of a token, you have no way to stop them. While the short lifespan of the tokens will get you most of the way toward preventing bad actors from doing anything too bad, the ability to revoke tokens is usually a pretty common security requirement.
-
Key rotation. There should be a mechanism in place that allows you to rotate the signing keys for your JWTs. It should allow you to add new signing key without invalidating all the JWTs currently in circulation.
-
Cookie support. Unfortunately for server rendered apps, storing the token in local storage isn't possible. Provided the token isn't too big, you could also shove it into a cookie so server rendered apps can also use the auth server.
Thanks to cbadger85