How Does The Server Know If A Bearer Token Is Valid Without Storing It On Disk Or Memory

Question

So I just implemented token based authentication in a Web API app using OWIN and I was able to understand the concept of how it all works (well on the surface at least).

What I couldn't understand is how the server validates the generated bearer token without storing it on the disk or memory. I mean sure the expiration date is probably encrypted in the token itself, but that only applies if it is already expired. So how does the server do it (on a high level)?

Update:

Okay i can see that the claims are stored in the token.So at some level the server is still checking that with the db during authentication correct? Otherwise let's assume that i'm the server and I was able to decrypt the token to this object:

{
  "iss": "thesite.com",
  "exp": 1300819380,
  "name": "Chris Sevilleja",
  "admin": true
}

So the question now is does the fact that I (the server) was able to decrypt the token into key value pairs (checking for the presence of specific keys like 'iss', 'exp' and checking for values like the 'admin' key must be true) means that I will authorize the web request?

Answer 1

JWT token is made up with three parts separated by dot(.).

1. First part is Header.
2. Second part is Payload
3. Third Part is Signature (say s0) JWT Format
4. Signature is created using Header and Payload.

When server receives JWT token it creates temporary signature (say s1) from incoming header and payload.

• If s0 and s1 signatures are same then token is valid.
• Also token contains claims which are used to validate token. e.g exp claim contains unix epoch time after which token is considered as invalid.