I think storing JWT in cookie is madness. You got every downside of JWT without any upside at all.
Use a normal session, since you already assume there is a db for authentication.
That JWT token takes much more space on a client (and sent with every request!) than a proper session cookie would.
That JWT refresh token would also take more space than what you store in claims would take up even if you naively stored it in DB (i.e. not via relation between user and session).
IMO, the only way to correctly use JWT for authz (authn is handeled somewhere else as it should):
- authenticate user somehow (not JWT probably, unless it's a federated login)
- issue a short-lived JWT with required claims
- pass that JWT with requests to other backends
- now backends can validate that JWT by themselves
Use a normal session, since you already assume there is a db for authentication.
That JWT token takes much more space on a client (and sent with every request!) than a proper session cookie would.
That JWT refresh token would also take more space than what you store in claims would take up even if you naively stored it in DB (i.e. not via relation between user and session).
IMO, the only way to correctly use JWT for authz (authn is handeled somewhere else as it should):
- authenticate user somehow (not JWT probably, unless it's a federated login)
- issue a short-lived JWT with required claims
- pass that JWT with requests to other backends
- now backends can validate that JWT by themselves