Reputation: 8145
What do I verify within a client bearer token?
I've got service A, an OAuth 2 authentication server, and service B.
Service A has an API and trusts the authentication server.
Service B needs to call service A's API, and to do so it needs to include a client (i.e., non-user-specific) bearer token in the request header.
Aside from client_id and sub (which should be the same as client_id), what information from the bearer token does service A need to use to verify with the authentication server that service B is who it says it is, that the bearer token is valid?
Upvotes: 0
Views: 209
Answers (1)
Reputation: 129055
what information from the bearer token does service A need to use to verify with the auth server that service B is who it says it is, that the bearer token is valid?
In addition to sub, you should validate:
- That it is not expired.
- That the token issuer
issis the server that you trust. - That the token is signed e.g. with RSA and signed by the issuers private certificate.
Common OAuth servers on the market can typically do these validations for you by using a http endpoint.
Upvotes: 1
Related Questions
- What claims should I verify in JWT token?
- When to validate JWT
- Verify a JWT token string, containing 'Bearer ' with NodeJS
- How resource server should validate oauth bearer token that issued by Authorization Server?
- Claims for authenticating 3rd party with JWT
- How the server verifies the JWT client?
- Verification of ID tokens on client side
- How to validate or verify JWT Signature?
- JSON Web Tokens (JWT) - Validate Client
- OAuth2 Token Validation and confidential clients