Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do identity server validate the token at API or when we use Authorize attribute?

I am using Identity server 4 as identity provider.

After getting the token for a successful login, we pass this token to the resource server.

My question is how does the Identity Server provider at the resource server end validate the submitted token ?

When I observed the traffic using fiddler I didn't see any request submitting the token to the provider to check.

Which means Identity Server provider at the resource server end itself is validating the token ?

Then why do we need to provide Authority when it is not checking against it?

How does the identity server provider at resource end make sure it is issued by a valid token provider ?

like image 906
Mahesh Gupta Avatar asked Mar 08 '17 10:03

Mahesh Gupta


People also ask

How is token validated server?

A resource server validates such a token by making a call to the authorisation server's introspection endpoint. The token encodes the entire authorisation in itself and is cryptographically protected against tampering. JSON Web Token (JWT) has become the defacto standard for self-contained tokens.

How are Web API access token validated on the server?

Token-based authentication is a process where the user sends his credential to the server, server will validate the user details and generate a token which is sent as response to the users, and user store the token in client side, so client do further HTTP call using this token which can be added to the header and ...

How are access tokens validated?

There are two ways to verify a token: locally or remotely with Okta. The token is signed with a JSON Web Key (JWK) using the RS256 algorithm. To validate the signature, Okta provides your application with a public key that can be used.

How does token authentication work in Web API?

To make a web API call from a client such as a mobile application, you must supply an access token on the call. The token acts like an electronic key that lets you access the API. The merchant determines which Commerce resources the integration can access.


2 Answers

The resource server will not send the token over the wire to the identity provider to validate a token. This would incurr quite an overhead to your resource server.

Instead the resource server pulls down (and might cache) your identiy providers discovery document located at {identityserverUrl}./well-known/openid-configuration. This document contains materials that allow the resource server to validate the token within its own context. This is ofcourse assuming that the token is an access_token (issuer,jwks_uri)

If your resource server is using something like JwtBearerAuthentication middleware or IdentityServer4.AccessTokenValidation middleware, these things will do that for you.

like image 194
Lutando Avatar answered Nov 02 '22 23:11

Lutando


JWT tokens are self-contained, and do not need a round-trip to verify that they are still valid with each use ... they are valid so long as they haven't expired, providing they haven't been tampered with which only involves signature checking.

You can set your client up though to request reference tokens (and set up your API to accept them), and these tokens will involve a round-trip every time they are used. You have the ability then to revoke tokens, which you can't do with JWTs.

like image 21
Mashton Avatar answered Nov 03 '22 00:11

Mashton