authorization & authentication.html
Authorization vs Authentication
Authentication confirms users are who they say they are.
Authorization confirms that users have access to the resource they are requesting.
JWT Tokens
Token generated by a server and issued to a client for the purposes of authentication. The server signs the token using a private key; clients are then responsible for providing the token in HTTP authorization headers on API requests, along with the public key to use to validate the tokens authenticity.
JWT is json based, and any data can be included in the payload for the purposes of authentication; e.g., the ID of the authenticated user can be included.
In a JWT flow, the provided token to the server contains everything it needs to authenticate the user. This differs from a session flow, where provided cookies must be matched with data elsewhere (on the API server, in a separate session store, etc.) to authenticate.
JWTs are encoded, not encrypted, so sensitive information should not be stored in them. For that reason they should also be transmitted over secure SSL/TLS connections.
JWTs also include in their data signatures that can be used to verify token integrity; e.g., the the data in the token has been tampered, it will no longer match the signature.
Where to store user permissions?
One option is to place them in the user JWT tokens, though care must be taken if those tokens are transmitted via HTTP headers. Servers usually set a limit on the size of HTTP headers accepted (say, 8 KB).
Serverside authoization checks against an authorization server (can be third party, such as Okta Auth0) are a good alternative.