The default Auth demo you supply is vulnerable, because it show an example to store authorization state on the client (as JWT). In these cases there must be some kind of revocation mechanism.
Does TMS have such a revocation mechanism build in? For example support for redis? (Or is there any change that TMS will include such a revocation mechanism in Sparkle in the future?)
You can read more about these vulnerabilities on: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ and https://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/
Thanks in advance.