Reputation: 3241
how does token validation works on token based authantication systems
When token based authantication is compared to traditional server authantication, it is said that: traditional method keeps login info in memory on server side, but in token based authantication server keeps nothing. Information about logged in user is stored in token itself.
However, I didn't get one point here. If server doesn't store anything, how does server validate the token? I think it should store the secret key to decrypt the token and then validate.
If so, where is it stored? If not what poin did I miss?
Upvotes: 1
Views: 242
Answers (2)
Reputation: 23436
The server issuing the token, digitally signs the token with a private key.
The service consuming the token only needs the public key to validate the token. It can download the public key from the issuing server on startup or first use. After that, it does not need to communicate with the issuing server to validate tokens. If the signature is valid, the service trusts the contents of the token.
Upvotes: 1
Related Questions
- Sessions vs. Token based authentication
- JWT vs cookies for token-based authentication
- Is it possible to validate a JWT token without having the secret key?
- How to implement REST token-based authentication with JAX-RS and Jersey
- What is token-based authentication?
- Token based authentication and scalability? An illusion?
- Single use CSRF token generation and validation for cross server communication in PHP
- How to prevent login credential sharing with stateless/token-based authentication?
- how can signing/encryption of token based authentication work for a stateless server (REST)