Answer the question
In order to leave comments, you need to log in
How does the JWT authorization server and API server validate the token?
this point is not entirely clear.
there are 2 applications, on different domains.
one - purely authorization, issues tokens, registers.
the second is the API server, from where the client requests information.
Here is an example of a diagram of
how data is synchronized between these servers? Should this happen instantly? Or what is the principle of token validation?
Answer the question
In order to leave comments, you need to log in
In general, the second application (API) should be able to receive the user for this token.
Essentially, a JWT token consists of three parts:
The body usually contains information of the form:
The API decodes the token, depending on the algorithm (you may need a p12 certificate, it all depends on the settings) and receives the user based on this information. As soon as your token expires, the application throws a 401 and you need to reacquire the token.
Validation - verification of the conformity of the body of the signature token, it occurs through the signature mechanism, which is determined from the first header. There may be hashing with a key, or maybe a passphrase is enough.
There is another option, when the authorization server gives two tokens, the second one is what is called refresh_token. In such a situation, the API can request a new token for this user and continue to communicate through the new token.
It is important to understand what the client uses as a library for JWT authentication (and the API is the client), how it (the library) can work.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question