I am implementing an app in Plone which needs to get data from another system. The proposed setup is to use HTMX to interact with the other app. For authorization, I am thinking of using JWT with shared HS256 password. JWT is generated after logging in to Plone and is sent to the other app when needed. Since plone.restapi already implements a JWT PAS plugin I am investigating how to use it for my purpose. From searching the forum, I came accross a past discussion:
A proposed solution is for the JWT to be generated after a login event as implemented in the link below:
The JWT plugin has a "store tokens" directive. I am thinking that in my browser view, I can query for the issued token stored on the plugin. If it is not available or it will be expiring soon, a new one will be generated and it is used. Is this a sound strategy? Or is there a better one? I have also read that the token can be saved in the user's browser local or session storage but there are security implications.
Thanks in advance for the feed back.