JWT token with APM 13.1 Oauth/OID

Hello,

 

I would like to understand better the advantages for using APM in typical O-Auth, especially in a AWS environment which has already the Cognito Service. The final goal is to secure AWS API gateways towards a backend DB.

 

Without using APM, if we send a JWT token to the client (which is digitally signed), is there a chance that once this is stolen, an hacker could impersonate the user in the application? If i well understand surfing some suggestions on the web, this risk could be prevented by using a by-reference token which is mapped to the by-value/JWT token (which includes all permissions). But if the by-reference token is stolen, isn't it the same as the by-value would be stolen? SO what's the reason of this distinction?

 

With APM, the session is handled automatically by the MRH-session cookie and all APM session handling. The JWT token is never sent back to the client?

 

• Is this reasoning correct?
• Is this the reason why it would make sense to use APM in a Cognito environment?