java - Checking the validity of access tokens without round tripping to the authorization server? -
with oauth access token validity has checked authorization server. there way without making round trip authorization server every request resource server? i've done reading on jwt , seems since jwt can signed should able verified resource server without going authorization server? iiuc there standard / simple way spring security oauth?
jwt not require call authorization server. can either use:
1) client secret key sign , validate jwt token. secret key stored in both authorization server , app.
2) or preferrably use private/public keys jwk sign , validate token. private key stored on authorization server side , public token in app. can optionally public key authorization server, cache , refresh after period of time. more see https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/jwktokenstore.java.
Comments
Post a Comment