We are using feathersjs - https://feathersjs.com/ A framework for real-time applications and REST APIs. Username password is the identify provider, which we are using for JWT authentication.
We are able to create access token using JWT, reference link - https://docs.feathersjs.com/guides/basics/authentication.html This accessToken can now be used for other REST requests that require authentication by sending the Authorization: Bearer HTTP header.
As mentioned By default the only thing that Feathers stored in the JWT payload is the user id. It is a stateful token, But cannot find any reference in JWT payload for the same.
We were also able to revoke JWT access token using the link - https://docs.feathersjs.com/cookbook/authentication/revoke-jwt.html We are using redis for the same.
Now the question is where is this JWT access token is stored and is this JWT Stateless or Stateful.
If this JWT is Stateful, do we really need to maintain session in our node js Application or this JWT is enough for the same. Else If this JWT is Stateless, how we can maintain the session in node js Application.
Even Could not find any reference related to refresh token.
Thanks.
There is no sessions when using a JWT and no need to do any session handling (see this FAQ entry for more information). A client has to store it somewhere (and remove it to log out).
Stateful here just means that there is an additional request to get the current user information when an authenticated request is made. The user id is stored in the sub (subject) claim of the token. You can see it when encoding the token (e.g. using jtw.io). How to create stateless tokens that does not make a request to get the user information is also documented in the cookbook but normally is not necessary.