How does API protected resource validate access token on Identity Server 4?

Question

I use IdentityServer3.AccessTokenValidation middleware to valid access token for my API since it's ASP.NET Framework based. It works but I do have questions and concerns. First of all, does the API send a request to the Identity Server to validate the access token for every request? Will this have a big impact on the performance of both the API and Identity server? Is this the best practice? Is there any caching strategy that I can use to reduce the round trip traffic for access token validation?

I just can't imagine that for every api request, it has to send a request to Identity server, and then the identity server needs to send a request to its database to validate the token.

Answer 1

When validating access tokens , specific for validating signature . API/resource server will pull down (and might cache) your identity providers discovery document located at https://baseaddress/.well-known/openid-configuration. This document contains materials that allow the resource server to validate the token ,read available keys from jwks_uri .

JwtBearerAuthentication middleware or IdentityServer.AccessTokenValidation middleware will help do that process . In IdentityServer4.AccessTokenValidation , it has an option named DiscoveryDocumentRefreshInterval specifies how often the cached copy of the discovery document should be refreshed.If not set , the default value is from Microsoft's underlying configuration manager (which right now is 24h).