@jayfella now that I have a separate server for the account and each app, does it make sense to switch my JWT auth algorithm from HS512 hash-based authentication to the RS256 signature?
So each app can authenticate requests independently by using the shared public key.
What about when some client wants to connect to the game server.
Suppose client has already got the ip:port of the game server from the master server and now wants to make a connection to game server.
Should I also give the client a temporary access token to use when connecting a game server? So the game server can also safely authenticate who is being connected, either doing itself by using the shared public-key or by asking from the master server.
The user requests to join with their session ID they got when they logged in.
GameServer checks SID with auth server and accepts/rejects.
If accepted, auth server sets āactive gameā column to server token.
Their Session ID can only be part of one game. To do that you bind an āactive gameā column to a user. This stops single users logging into multiple games (account sharing).
Now you know who is connected to what. But you donāt want to keep querying the main server after they have joined successfully. From here-on you can accept the connection as valid.
Send the user back a token from the game-server. Do NOT use the original SID because thatās a password for all intent with ALL permissions. Use that token as a user reference to communicate bi-directionally.
Actually, in my case, all my REST endpoints are stateless (not session based), and every time the user login he gets a newly created JWT token valid for 48H, and from now on he uses this token to make a call to my REST endpoints.
If I got you right this Session ID is something that varies on each login, Yes? for example a random UUID.
And If I understand it correctly the Session ID should be a column in user account table that gets updated every time user login. And the client should use this Session ID to connect to the game server.