15 OAuth 2 – Using JWT and cryptographic signatures

In this chapter, we discuss using JWT as token implementation. You learned in chapter 14 that the Resource Server needs to validate the tokens issued by the Authorization Server. And I told you about three ways to do this:

Using cryptographic signatures to validate the tokens has the advantage of allowing the Resource Server to validate the tokens without needing to call the Authorization Server directly and without the need for a shared database. This approach to implementing tokens validation is the most used in systems implementing authentication and authorization with OAuth 2 today. For this reason, you need to know this way of implementing the token validation as well. We’ll write an example for this case as we’ve done for the other two methods in chapter 14.

15.1  Using tokens signed with symmetric keys with JWT

15.1.1    Using JSON Web Tokens

15.1.2    Implementing an Authorization Server which issues JWT

15.1.3    Implementing a Resource Server which uses JWT

15.2  Using tokens signed with asymmetric keys with JWT

15.2.1    Generating the key pair

15.2.2    Implementing an Authorization Server which uses the private key

15.2.3    Implementing a Resource Server which uses the public key

15.2.4    Using an endpoint to expose the public key

15.3  Adding custom details to the JWT

15.3.1    Configuring the Authorization Server to add custom details in the token

15.3.2    Configuring the Resource Server to read the custom details of a JWT

15.4  Summary