15 OAuth 2 – Using JWT and cryptographic signatures

 

This chapter covers

  • Validating the tokens using cryptographic signatures.
  • Using JSON Web Token (JWT) in the OAuth 2 architecture.
  • Signing tokens with symmetric and asymmetric keys.
  • Adding custom details to a JWT.

In this chapter, we discuss using JWT as token implementation. You learned in chapter 14 that the Resource Server needs to validate the tokens issued by the Authorization Server. And I told you about three ways to do this:

  • Using direct calls between the Resource Server and the Authorization Server, which we implemented in section 14.2.
  • Using a shared database for storing the tokens, which we implemented in section 14.3.
  • Using cryptographic signatures, which we discuss in this chapter.

Using cryptographic signatures to validate the tokens has the advantage of allowing the Resource Server to validate the tokens without needing to call the Authorization Server directly and without the need for a shared database. This approach to implementing tokens validation is the most used in systems implementing authentication and authorization with OAuth 2 today. For this reason, you need to know this way of implementing the token validation as well. We’ll write an example for this case as we’ve done for the other two methods in chapter 14.

15.1  Using tokens signed with symmetric keys with JWT

15.1.1    Using JSON Web Tokens

15.1.2    Implementing an Authorization Server which issues JWT

15.1.3    Implementing a Resource Server which uses JWT

15.2  Using tokens signed with asymmetric keys with JWT

15.2.1    Generating the key pair

15.2.2    Implementing an Authorization Server which uses the private key

15.2.3    Implementing a Resource Server which uses the public key

15.2.4    Using an endpoint to expose the public key

15.3  Adding custom details to the JWT

15.3.1    Configuring the Authorization Server to add custom details in the token

15.3.2    Configuring the Resource Server to read the custom details of a JWT

15.4  Summary

sitemap