nidhi vyas
Reputation: 1
JWT Architecture with granular access and PingFederate
I need help with understanding complete JWT Architecture using Public-Private keys. Our goal is explained below- Authentication will be initiated from an App. We are planning to generate token at client's end using Java JJWT library signed by Client's private key. Send that to PingFederate only to validate the signature using Public key. After Ping has validated the signature we would directly provide access to Resource API.
Questions :
- Is it possible that PingFederate can validate the token which it has not generated.
- Is this approach correct to allow access to Resource API once Ping has validated the signature of the JWT token. Or we again nee dto get an Access token.
- Is this a security breach that we allow access based on the JWT token.
- If we use PingFederate just to validate teh signature, then the Ping's capabilities will be used properly.
Added the image to describe our proposed solution.
Upvotes: 0
Views: 72
Answers (0)
Related Questions
- JWT Private / Public Key Confusion
- Single sign-on flow using JWT for cross domain authentication
- What are the main differences between JWT and OAuth authentication?
- JWT Issue with Docusign API
- Validate JWT signature with ECDSA public key - Error decoding signature bytes
- How to validate an OAuth2 access token (JWT) without accessing the auth server
- JWT: jwtk/jjwt with public/private keys