Reputation: 973
OAuth 2.0. How the servers will validate access_tokens
I have two servers, let's say A and B. Server A will authenticate users and generate tokens.
Now on server B how do I check if the token is valid? Do I have to go through server A every time to check for valid tokens?
Do I have to save the token along with the expiration date in Server B, and check for validation on Server B?
Upvotes: 0
Views: 139
Answers (1)
Reputation: 19011
If a server which issues access tokens (an authorization server) and a server which provides APIs protected by access tokens (a resource server) are different, in a simple implementation, the resource server has to communicate with the authorization server every time it validates an access token.
RFC 7662 (OAuth 2.0 Token Introspection) defines the specification of introspection endpoint which an authorization server provides for resource servers to introspect access tokens. Implementation of APIs hosted by resource servers are expected to call the introspection endpoint to validate access tokens presented by client applications.
Upvotes: 1
Related Questions
- How to validate an OAuth 2.0 access token for a resource server?
- How resource server should validate oauth bearer token that issued by Authorization Server?
- Otuth2 - Does every request goes to the authorization server for token validation?
- How does OAuth2.0 implements authorization?
- How resource server in OAuth authentication system, verify the token?
- how does token validation works on token based authantication systems
- How oAuth 2 works?
- OAuth 2.0 Authorization Server and Access Tokens
- How does ASP.Net Web API validate OAuth 2.0 token?
- how to validate an access token?