15 OAuth 2: Using JWT and cryptographic signatures

 

This chapter covers

  • Validating tokens using cryptographic signatures

  • Using JSON Web Tokens in the OAuth 2 architecture

  • Signing tokens with symmetric and asymmetric keys

  • Adding custom details to a JWT

In this chapter, we’ll discuss using JSON Web Tokens (JWTs) for token implementation. You learned in chapter 14 that the resource server needs to validate tokens issued by the authorization server. And I told you three ways to do this:

  • Using direct calls between the resource server and the authorization server, which we implemented in section 14.2
  • Using a shared database for storing the tokens, which we implemented in section 14.3
  • Using cryptographic signatures, which we’ll discuss in this chapter

Using cryptographic signatures to validate tokens has the advantage of allowing the resource server to validate them without needing to call the authorization server directly and without needing a shared database. This approach to implementing token validation is commonly used in systems implementing authentication and authorization with OAuth 2. For this reason, you need to know this way of implementing token validation. We’ll write an example for this method as we did for the other two methods in chapter 14.

15.1 Using tokens signed with symmetric keys with JWT

15.1.1 Using JWTs

15.1.2 Implementing an authorization server to issue JWTs

15.1.3 Implementing a resource server that uses JWT

15.2 Using tokens signed with asymmetric keys with JWT

15.2.1 Generating the key pair

15.2.2 Implementing an authorization server that uses private keys

15.2.3 Implementing a resource server that uses public keys

15.2.4 Using an endpoint to expose the public key

15.3 Adding custom details to the JWT

15.3.1 Configuring the authorization server to add custom details to tokens

15.3.2 Configuring the resource server to read the custom details of a JWT

Summary

sitemap