When a dashboard user requests protected API endpoints, we go through the following general steps in order to determine whether the user's request can be fulfilled.
- Extract the encoded authentication token from the request's
Authorization
header. - Decode the token.
- Extract the
token.jti
claim, which represents the access token resource in the OTX DB. (i.e.AccessToken.find(token.payload.jti)
) - Get the access token's associated subject (where
AccessToken#subject
is a polymorphic relationship) which should/will correspond to the dashboard user that made the request.