How does the JWT authorization server and API server validate the token?

H

heducose2017-07-19 02:47:51

API

heducose, 2017-07-19 02:47:51

this point is not entirely clear.
there are 2 applications, on different domains.
one - purely authorization, issues tokens, registers.
the second is the API server, from where the client requests information.
Here is an example of a diagram of

how data is synchronized between these servers? Should this happen instantly? Or what is the principle of token validation?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander Kuznetsov, 2017-07-19
@heducose

In general, the second application (API) should be able to receive the user for this token.
Essentially, a JWT token consists of three parts:
The body usually contains information of the form:
The API decodes the token, depending on the algorithm (you may need a p12 certificate, it all depends on the settings) and receives the user based on this information. As soon as your token expires, the application throws a 401 and you need to reacquire the token.
Validation - verification of the conformity of the body of the signature token, it occurs through the signature mechanism, which is determined from the first header. There may be hashing with a key, or maybe a passphrase is enough.
There is another option, when the authorization server gives two tokens, the second one is what is called refresh_token. In such a situation, the API can request a new token for this user and continue to communicate through the new token.
It is important to understand what the client uses as a library for JWT authentication (and the API is the client), how it (the library) can work.