Reputation: 19729
How to validate an OAuth2 access token (JWT) without accessing the auth server
Trying to understand the 2-legged client credentials scheme in OAuth2. Some people state that JWT is great format for Access Token because it is self-contained and resource server doesn't need to verify the token from the authorization server (STS). But how is this done? The only way I see the resource server could itself validate the JWT is by storing a public key on the server, which is used to verify the signature.
Upvotes: 3
Views: 4268
Answers (1)
Reputation: 54078
When using a JWT as an access token, the Resource Server doesn't need to call out to the Authorization Server to verify it. Indeed the Resource Server will need to store the public key of the Authorization Server to do so. Obtaining that public key is an out-of-band process.
Verification of a JWT consists of checking the signature plus some additional checks on claims embedded in the token e.g. timestamps (iat, exp, nbf) and identifiers (aud).
The advantage of JWT over other forms of signed data/tokens is that JWTS are standardized and flexible wrt. cryptography used by them which makes it possible to use standard libraries to create/verify them instead of having to write custom code.
Upvotes: 5
Related Questions
- JWT and Authorization Server
- How can a resource server validate an access token without the authorization server
- Identity Server 4 validate own issued JWTs
- Validate a JWT from another C# ASP.NET Core 3.1 API that consumes it
- How resource server should validate oauth bearer token that issued by Authorization Server?
- Securing a JWT token
- Verify JWT on browser
- Is it possible to validate a JWT token created from an external OAuth2 Server in WSO2?
- Checking the validity of access tokens without round tripping to the authorization server?
- oAuth2 JWT token validation process