Menu
I am using Identity server 4 as identity provider.
After getting the token for a successful login, we pass this token to the resource server.
My question is how does the Identity Server provider at the resource server end validate the submitted token ?
When I observed the traffic using fiddler I didn't see any request submitting the token to the provider to check.
Which means Identity Server provider at the resource server end itself is validating the token ?
Then why do we need to provide Authority when it is not checking against it?
How does the identity server provider at resource end make sure it is issued by a valid token provider ?
906
A resource server validates such a token by making a call to the authorisation server's introspection endpoint. The token encodes the entire authorisation in itself and is cryptographically protected against tampering. JSON Web Token (JWT) has become the defacto standard for self-contained tokens.
Token-based authentication is a process where the user sends his credential to the server, server will validate the user details and generate a token which is sent as response to the users, and user store the token in client side, so client do further HTTP call using this token which can be added to the header and ...
There are two ways to verify a token: locally or remotely with Okta. The token is signed with a JSON Web Key (JWK) using the RS256 algorithm. To validate the signature, Okta provides your application with a public key that can be used.
To make a web API call from a client such as a mobile application, you must supply an access token on the call. The token acts like an electronic key that lets you access the API. The merchant determines which Commerce resources the integration can access.
The resource server will not send the token over the wire to the identity provider to validate a token. This would incurr quite an overhead to your resource server.
Instead the resource server pulls down (and might cache) your identiy providers discovery document located at {identityserverUrl}./well-known/openid-configuration. This document contains materials that allow the resource server to validate the token within its own context. This is ofcourse assuming that the token is an access_token (issuer,jwks_uri)
If your resource server is using something like JwtBearerAuthentication middleware or IdentityServer4.AccessTokenValidation middleware, these things will do that for you.
194
JWT tokens are self-contained, and do not need a round-trip to verify that they are still valid with each use ... they are valid so long as they haven't expired, providing they haven't been tampered with which only involves signature checking.
You can set your client up though to request reference tokens (and set up your API to accept them), and these tokens will involve a round-trip every time they are used. You have the ability then to revoke tokens, which you can't do with JWTs.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
