Explain Offline Token validation vs Online Token validation in Open ID connect ? Advantages, limitations & tradeoffs

Question

In a pursuit to develop a Open ID connect model for existing applications and back-end services, I am confused to choose whether Offline vs Online JSON token validation for ID Token & Access token.

My Open ID Provider : KeyCloak

My Question is around the idea about Token Validation, So I am not discussing the implementation details.

As per OIDC (Open ID Connect),

ID token will be issued to the service that is requesting resource once authenticated

and now on the resource server side is it really necessary to verify the token with Open ID Provider (Keycloak) or offline validate the Token based on the public key.

If I go for Offline model of token validation - what are the potential implications / limitations i must face.

I am looking for ideal situations to choose the appropriate model & trade-offs discussed.

Answer 1

The only advantage of online validation is the possibility that user rights are revoked in the meantime. With offline validation you have proof that token is issued by your Keycloak and that nobody tampered it. Online validation for every request would be too much.

For example, a click in the frontend can result in many api calls and there is no benefit in creating dozen rest requests to Keycloak in the same second. Recommendation is to keep token lifetime shorter.

You could implement token caching and validate token online in some short periods, but what’s the point if you can just lower token lifetime in the Keycloak.

So to conclude, validate the token offline for the timeout duration ( say 5 minutes - should be configurable based on the use case) and beyond the period issue new token.

Answer 2

Token validation is one aspect but it is not a complete security solution. You will often find that you need data from both the token and other sources to authorize access to resources properly.

So your solution depends on how you want to authorize and also on non functional requirements such as availability and performance.

My personal preference is offline due to its separation of concerns - see my write up for further details.