Home > Enterprise >  What do I verify within a client bearer token?
What do I verify within a client bearer token?

Time:02-01

I've got service A, an OAuth2 authentication server, and service B.

Service A has an api and trusts the auth server.

Service B needs to call service A's api, and to do so it needs to include a client (ie non-user-specific) bearer token in the request header.

Aside from client_id and sub (which should be the same as client_id), what information from the bearer token does service A need to use to verify with the auth server that service B is who it says it is, that the bearer token is valid?

CodePudding user response:

what information from the bearer token does service A need to use to verify with the auth server that service B is who it says it is, that the bearer token is valid?

In addition to sub, you should validate:

  • That it is not expired.
  • That the token issuer iss is the server that you trust.
  • That the token is signed e.g. with RSA and signed by the issuers private certificate.

Common OAuth servers on the market can typically do these validations for you by using a http endpoint.

Page link:https//www.codepudding.com/Enterprise/284039.html

Prev:Why does the title overlap with the plot when specifying x using constrained_layout?
Next:Display a list of names based on checked boxes in other page - Xamarin Forms
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding