Reputation: 619
JWT and Authorization Server
Does an API need to validate token from Authorization Server if Token is in JWT format? It is very confusing some time to understand flow of token. JWT is said to be self explanatory then why it should be validated again?
Upvotes: 0
Views: 61
Answers (1)
Reputation: 29218
The Authorization Server(AS) issues a JWT access token signed with a cryptographic private key to a client application, eg a mobile app. This is only allowed if the client is registered with the AS. The mobile app will then send tokens to APIs.
The API must then validate the JWT on every request, using the public key from the AS, in order to prove that the token is signed with the correct cryptographic key. If it did not then an attacker could issue their own JWT to call your API and gain access to data.
It is a pretty simple task to code in any API technology, by plugging in a JWT security library. For further info see the JWT Best Practices article.
Upvotes: 1
Related Questions
- Confusion regarding JWT authorisation
- Securing a JWT token
- Auth0 JWT Access Tokens
- JWT access token security considerations
- Security - JWT and Oauth2 (refresh token)
- Oauth 2.0 authorization using JWT
- Relationship between OAuth and JWT
- OAUTH2 server with spring and jwt
- OAuth 2.0 Authorization Server and Access Tokens
- Spring Security JWT and Oauth2