Let's consider a special scenario that an admin (Admin A) logs in and start doing some admin stuff on the system. Suddenly another admin (SuperAdmin) wants to downgrade Admin A to a normal user for some reason. However, even-though now Admin A is just a normal user, his token is still an Admin token. So, he can still do admin stuff until the token automatically expires in one hour.
So, in a scenario like this what's the way to expire that token manually ? Does the system should use a DB query to check user level for each admin route ? Or is there any other way to achieve this ?
Is there any way to config core gateway to check validation of token ?
I think if I check validation of token for each request in coregateway we have a lot of overhead and defeats the entire purpose of using JWTs in my opinion.
I am going with JWTs are not designed for sessions or stateful representations of data.
Therefore either accept this or do some messy hack with an "allow/white list".
Option 2.
Use sessions.