First of all, thanks for the reply! And for the amazing product!
Well I must say that I don’t need to have any data in the jwt that is mega sensitive… But I like to learn about the options in enough depth to be able to “do right things, right”
So in my investigation I came across jwe,
And thought that an additional layer of security could be obtained using a jwe with more specific info that could be validated on the server side
I find it rather disconcerting that any bloke who gets their paws on my jwt can drop it in jwt.io
And read the contents…
But I get it, jwe’s are overkill… And if the Auth server says the user is who they say they are and the jwt signature is kosher, then it doesn’t matter who can read it as long as they can’t spoof it , alter it, or use it to impersonate someone
That said I still think it’s a cool thought experiment to imagine the most secure Auth and data flow scenario possible with dgraph, and maybe jwe could play a role in that…
Let’s say the white House wanted to use d graph for a top-security app that their employees needed to use in the wild… Other than short term
Jwt expiration, what strategies could work for user session authentication that was solid against all realistic data breaches?