I am working on a personal project for learning reasons, and have come to the point of authenticating and authorizing users. I would like to keep the project as stateless as possible, to make sure it can run on either 1 or 100 machines without much effort.
Here is my current plan of action for my users on this microservice architecture:
A user goes to an MVC application that serves a game. They are not logged in, so are redirected to a login page.
Upon successful login, the MVC app sets a JWT in the user's cookies. The JWT only contains the user id and their claims (user, admin, etc). The JWT logic is managed by IdentityServer4.
The user is logged in to the MVC app and can play a game. The user posts whatever move they want to make, and the ID of the game they are playing.
The MVC app uses the user id and claim in the JWT to retrieve the game being played from a Redis cache. The move the user posted is processed. The resulting game state is stored in Redis.
User receives the current game state from the server. Repeat from step 3.
My question: are JWT's a good use case for the above scenario? Or are there any downsides I may have missed?