java - Checking the validity of access tokens without round tripping to the authorization server? -


with oauth access token validity has checked authorization server. there way without making round trip authorization server every request resource server? i've done reading on jwt , seems since jwt can signed should able verified resource server without going authorization server? iiuc there standard / simple way spring security oauth?

jwt not require call authorization server. can either use:

1) client secret key sign , validate jwt token. secret key stored in both authorization server , app.

2) or preferrably use private/public keys jwk sign , validate token. private key stored on authorization server side , public token in app. can optionally public key authorization server, cache , refresh after period of time. more see https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/jwktokenstore.java.


Comments

Popular posts from this blog

resizing Telegram inline keyboard -

command line - How can a Python program background itself? -

php - "cURL error 28: Resolving timed out" on Wordpress on Azure App Service on Linux -