How does the JWT and OAuth separately, I imagine. But how to combine them and thus leave the opportunity to work with multiple devices? The way I see it
1. The client generates the ID for the device. **DeviceId**
2. Reports **DeviceId**, **Login**, **Password** on the server
3. The server generates **AccessToken**, **RefreshToken** and stores in conjunction with **DeviceId** to distinguish between sessions on different devices.
Then the questions:
1. What is in this case, the tokens are random hashes, or is it a JWT with some paylaod inside.
2. If you want to save **AccessToken** in database? Or he keeps a JWT authorized user, and is saved only **RefreshToken**
3. What about the compromise of token on one of the devices? When you use **RefreshToken** attacking rassohina user on that device only, or **RefreshToken** for only one user, and after **AccessToken** on one of the devices and generate a new pair will be rasagiline all devices?
How do you even do in the mind, who has the experience of implementation?