15 OAuth 2 – Using JWT and cryptographic signatures
This chapter covers
- Validating the tokens using cryptographic signatures.
- Using JSON Web Token (JWT) in the OAuth 2 architecture.
- Signing tokens with symmetric and asymmetric keys.
- Adding custom details to a JWT.
In this chapter, we discuss using JWT as token implementation. You learned in chapter 14 that the Resource Server needs to validate the tokens issued by the Authorization Server. And I told you about three ways to do this:
- Using direct calls between the Resource Server and the Authorization Server, which we implemented in section 14.2.
- Using a shared database for storing the tokens, which we implemented in section 14.3.
- Using cryptographic signatures, which we discuss in this chapter.
Using cryptographic signatures to validate the tokens has the advantage of allowing the Resource Server to validate the tokens without needing to call the Authorization Server directly and without the need for a shared database. This approach to implementing tokens validation is the most used in systems implementing authentication and authorization with OAuth 2 today. For this reason, you need to know this way of implementing the token validation as well. We’ll write an example for this case as we’ve done for the other two methods in chapter 14.