

Stateless token verification with JWT - TheThing
http://jonatan.nilsson.is/stateless-tokens-with-jwt/

======
1rae
I don't think storing permissions in the JWT is really a good idea, and it
might makes the token size a lot larger. I am not even sure if I should store
the user_id in the JWT. I just implemented this on my site api and stuck the
persistence token in the JWT, that way the token can be denied if you delete
the persistence token, and it's linked the the user and the users
permissions... but it still requires an additional database lookup.

What if you issue the JWT with role permissions embedded, and the user is
rejected from the role before the JWT expires. Then they can still execute
actions they are no longer allowed to? It just seems like it could end
badly...

~~~
lyschoening
Maybe the author meant permissions such as 'read-only' or 'read-write' that
place additional restrictions on a token.

Anything else would cause a lot of problems. Role permissions might change
while a token is still active.

~~~
TheThing
That is basically it: Additional restriction applied to the token.

I was actually referencing this article:
[https://auth0.com/blog/2014/12/02/using-json-web-tokens-
as-a...](https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/)

~~~
1rae
Thanks for clearing it up.

