Reputation: 47090
Checking the validity of access tokens without round tripping to the authorization server?
With oauth access token validity has to be checked by the authorization server. Is there a way to do this without making a round trip to the authorization server for every request to the resource server? I've done some reading up on JWT and it seems like the since the JWT can be signed it should be able to be verified by the resource server without going to the authorization server? IIUC is there some standard / simple way to do this with spring security oauth?
Upvotes: 0
Views: 395
Answers (1)
Reputation: 5948
JWT does not require a call back to authorization server. You can either use:
1) Client secret key to sign and validate the JWT token. The secret key will be stored in both authorization server and your app.
2) Or preferrably use private/public keys like JWK to sign and validate the token. The private key will be stored on authorization server side and public token in your app. You can optionally get public key from authorization server, cache it and refresh after some period of time. For more see https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStore.java.
Upvotes: 1
Related Questions
- How to validate a token from a OAuth server?
- Check if bearer token is jwt or not
- How to validate tokens received from authorization server
- Spring Boot Security how to check/verify access token
- How to verify that oAuth2 access_token is used by same client to whom it was issued in Spring security?
- Spring security OAuth - check validity of access token?
- Oauth2: how should the resource server know if the access token is valid?
- Accessing JWT Token during verification
- validate OAuth 2.0 access token from a Spring RESTful resource server
- Spring oauth2 validate token request