Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

JWT token SSO flow

Tags:

I have a simple question about SSO flow with JWT

Let's say we have separate Authorization Server, which provides the JWT to the client app/server and Resource server, where client trying to access with that token.

enter image description here

The question is, should Resource server validate token by itself (e.g. share private certificate with Auth Server) or should it request Auth Server to validate JWT for each client request?

like image 482
silent-box Avatar asked Dec 26 '16 17:12

silent-box

People also ask

How does SSO work with JWT token?

Single sign-on is a mechanism that allows you to authenticate users in your systems and subsequently tell Zendesk that the user has been authenticated. If you use single sign-on with JSON Web Token (JWT), a user is automatically verified with the identity provider when they sign in.

What is JWT bearer token flow?

OAuth 2.0 JWT Bearer flow is used for server to server integration scenarios. This flow uses a certificate to sign the JWT request and doesn't require explicit user interaction. However, this flow does require prior approval of the client app.

How does JWT flow work?

With the OAuth 2.0 JWT bearer token flow, the client posts a JWT to the Salesforce OAuth token endpoint. Salesforce processes the JWT, which includes a digital signature, and issues an access token based on prior approval of the app.

Does SSO use tokens?

In SSO, this identity data takes the form of tokens which contain identifying bits of information about the user like a user's email address or a username.

1 Answers

The JWT specification was built with scalability in mind. The purpose of JWT's design is that any trusted app can validate a the signature block. If you care about performance then use a SHA-256 HMAC and validate the signature locally on each endpoint with a shared secret. Using an asymmetric signature for JWT creates overhead, but you can store the public key on endpoints that verify but not issue JWT, and then the private key on the central authority that issues tokens. This separation of concern between validation and issuing reduces the possibilities that the token creation process can be subverted by an adversary (Read: Defense-in-depth).

If you need to revoke tokens in real time, then need a central authority which validates each token. This works, but it defeats the purpose of JWT's design, and the system would be better off just issuing a cryptogrpahic nonce as the token.

like image 144
rook Avatar answered Sep 23 '22 17:09

rook
Sign in to Comment

Related questions

jupyter "%matplotlib notebook" not showing plot
Ionic 2 - How to show second dropdown data based on previous dropdown selection
React Js click event within a for loop [duplicate]
what is the difference between polyserve and polymer serve?
Failed to resolve profiler path from COR_PROFILER_PATH and COR_PROFILER environment variables. When using shims
Create ControlProperty for custom UIControl
What is the potential benefit of allowing C++ and C streams to buffer independently?
FluentValidation.NET equivalent to [Display(Name)]
Does "std::string + char" expression create another std::string?
Oracle .net Provider CommandTimeout not worked
Can HTTP GET be used if there are small side-effects?
Launch a Toastnotification in a WPF app

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!