Should I validate json web tokens on my app backend or login backend?
I wrote a login backend with express.js to provide authentication (through LDAP) and authorization (through a database of authorized users for each app on mysql). This backend generates jwt and sends them back in the form of an http only cookie. I wrote a route to provide token validation on the login backend so that if you send a token to /validate, it will validate the token and send back a boolean value.
I also wrote a separate app that requires a login. This app's backend (also written with express) gets the cookie from the login backend. Whenever the app backend makes a request, it should validate the token before sending any requests out. The question I have is: where should I validate the token and why? Should I validate the token using my login backend's validate route? Or should I grab the public key and validate the token on my app's own backend?
I read somewhere that it depends if you want to keep validation centralized or not.
