A question regarding Guardian (JWT) implementation and use of claims

I have implemented Guardian on one of my applications. My question, if I will be authorizing actions based on the role_id defined in the users table, are these two options equal in terms of security?

  1. On accessing a protected path, use resource_from_claims(claims) to load the user object from the database and check if role_id == 1.

  2. Or encode the role_id in the token itself (the encoded and signed claims) like:

    “role_id” => “1”,
    “sub” => “1”,

And then authorize actions based on this value without making the call to the database (users table)?

Remember the token can be reused until it’s timeout has passed, thus it is always safer to access the database as then you can revoke (and at which point there is no point in using a JWT at all).


Jwt has value in a UI as it facilitates switching components and functionality on and off

1 Like

But I believe you cannot decode the JWT client side, so how does the UI access the claims inisde the JWT?

In a signed JWT you can access it client-side, but not with encrypted JWT. Though why not just send JSON at that point as you are already over https and so forth.