OAuth2 Tips: Token Validation - DZone (2024)

Table of Contents
There is a lot to learn about OAuth 2 and token validation — let's take a closer look. Bearer Token Types Token Validation Methods Put Them Into Practice Option 1. Secure API Gateway Option 2. Introspection Only Summary Related FAQs
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. OAuth2 Tips: Token Validation

There is a lot to learn about OAuth 2 and token validation — let's take a closer look.

By

OAuth2 Tips: Token Validation - DZone (1)

Nelia Loginova

·

Jan. 11, 19 · Presentation

Join the DZone community and get the full member experience.

Join For Free

Bearer Token Types

There are two types of OAuth2 bearer tokens:

  • General Token that represents a string that has no meaning for the client (e.g., 2YotnFZFEjr1zCsicMWpAA). That type of bearer token cannot be validated by the Resource Server without direct communication with an Authorization Server.
  • JWT Tokenrepresents the JSON object with statements (claims) about the user and token. The JWT token contains threeseparate parts: header, payload, and signature — each of them are base64-encoded for transferring. JWT tokens are not a part of core OAuth2 specificationbut mandatory for use with OpenID Connect. JWT token is the most popular way to exchange information about current authentication between microservices. More details can be found here.

Token Validation Methods

OAuth2 tokens can be validated using the following methods:

  • Introspection. This is a method to get actual token information via special endpoint directly from the Authorization Server. Token information usually includes token type, status (active or not), user, client identifier, available OAuth2 scopes, and expiration time. A detailed description can be found in the specification https://tools.ietf.org/html/rfc7662 .The method requires direct interaction with Authorization Server for every token validation. It has high safety but low performance.
  • Token validation by signature (JWT tokens only). This is a method when the token is validated according to its cryptographic signature and all required token information is received from token itself. It means that token validity is verified without interaction with an Authorization server, and if the token was revoked before its expiration, we’ll never know about it. So, this method is fast but less secure than introspection.

Put Them Into Practice

Let’s imagine that we have an application that has microservice architecture. It has several frontends, mobile applications, API Gateway, and a lot of different useful backends.

OAuth2 Tips: Token Validation - DZone (2)

As we follow microservice architecture principles, we move authentication functions to a separate service. It is called Authorization Server in OAuth2 terminology.

OAuth2 Tips: Token Validation - DZone (3)

Frontends and mobile applications successfully delegate authentication to the Authorization Server. As a result of an authentication process, they get an access token that can be used to call our backend services. So what’s next?

Option 1. Secure API Gateway

API Gateway is usually a central entry point to the system, so at that point, we can verify all incoming requests and decide whether they go further or not. The main idea of that approach is to apply strong validation on API Gateway and light validation on backends.

OAuth2 Tips: Token Validation - DZone (4)

Implementation details:

  • API Gateway verifies access token for all incoming requests via introspection. This approach guarantees that the token is valid, not expired or revoked.
  • Every backend service validates access token only by signature.
  • Some services that have strong security requirements (e.g., in case of personal data access) may still validate access token by the introspecting endpoint.

That option allows getting a good balance between security requirements and system performance.

Option 2. Introspection Only

In some architectures, the API Gateway doesn’t have additional functions or there is no API Gateway at all. So, the only possible way is to verify access token on the backends.

OAuth2 Tips: Token Validation - DZone (5)

Implementation details:

  • Every backend service should validate the access token via introspection. Only introspection guarantees that the token is valid, not expired or revoked.

This approach adds one additional call for each service invocation. It can cause performance problems depending on real system architecture.

Summary

JWT token is the standard way to pass authentication between microservices. The token can be verified via introspect endpoint or by signature. The most common way to build built-in token verification into the system is to introspect the token on the API Gateway and verify the signature on other services. If we cannot add additional security functions on API Gateway, the token should be introspected on every service. Of course, other token validation combinations are also possible under specific conditions; a particular choice between the methods should be done according to system architecture and security requirements.

authentication security

Opinions expressed by DZone contributors are their own.

Related

  • Understanding Properties of Zero Trust Networks

  • When APIs Go Wrong: Neglecting Rate Limiting

  • Modern Digital Authentication Protocols

  • Role-Based Multi-Factor Authentication

OAuth2 Tips: Token Validation - DZone (2024)

FAQs

How do I validate my OAuth 2.0 token? ›

The token can be verified via introspect endpoint or by signature. The most common way to build built-in token verification into the system is to introspect the token on the API Gateway and verify the signature on other services.

Read On
Why is a bad idea to use OAuth 2.0 for authentication? ›

The purpose of OAuth2 Tokens is to authorize requests at a first-party server (or API). If the third party uses the OAuth2 Access Token as proof of authentication, an attacker could easily impersonate a legitimate user.

Discover More Details
How should resource server validate access token? ›

The access token

A resource server validates such a token by making a call to the authorisation server's introspection endpoint. The token encodes the entire authorisation in itself and is cryptographically protected against tampering. JSON Web Token (JWT) has become the defacto standard for self-contained tokens.

Continue Reading
What is OAuth2? ›

Principles of OAuth2.0

OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data. OAuth 2.0 uses Access Tokens.

See Details
How to check token validity? ›

You can validate your tokens locally by parsing the token, verifying the token signature, and validating the claims that are stored in the token. Parse the tokens. The JSON Web Token (JWT) is a standard way of securely passing information. It consists of three main parts: Header, Payload, and Signature.

Find Out More
What is the difference between validate and verify tokens? ›

Tokens should be parsed and validated in regular web, native, and single-page applications to make sure the token isn't compromised and the signature is authentic. Tokens should be verified to decrease security risks if the token has been, for example, tampered with, misused, or has expired.

Tell Me More
What should be the best possible way to implement the verification for the token? ›

Before we actually get to implementing JWT, let's cover some best practices to ensure token based authentication is properly implemented in your application.
  1. Keep it secret. Keep it safe. ...
  2. Do not add sensitive data to the payload. ...
  3. Give tokens an expiration. ...
  4. Embrace HTTPS. ...
  5. Consider all of your authorization use cases.

Show Me More
How to test an OAuth token? ›

In order to test this scenario, make use of an HTTP intercepting proxy such as ZAP and intercept the OAuth traffic.
  1. Step through the authorization process and identify any credentials present in the URL.
  2. If any external resources are included in a page involved with the OAuth flow, analyze the request made to them.

Explore More
How does an API validate a token? ›

The mechanism to validate a token varies between applications, but for the most part, it comprises decoding the payload, parsing the properties, and performing further queries to validate credentials. This validation, in a standard API service, would occur before any request reaches an endpoint.

Continue Reading
How does OAuth2 2.0 work in REST API? ›

OAuth 2.0 is a standard for implementing delegated authorization, and authorization is based on the access token required to access a resource. The access token can be issued for a given scope, which defines what the access token can do and what resources it can access.

Show Me More

What is a real life example of OAuth2? ›

A real life example

Here the Authorization Grant flow is now transferring you on the Twitter website where you are asked to enter username and password. You don't have to share your Twitter username and password with LinkedIn. You are just authorizing LinkedIn to do some stuff for you.

Read The Full Story
What is the difference between SAML 2.0 and OAuth2? ›

Primarily, SAML 2.0 is designed to authenticate a user, so providing user identity data to a service. OAuth 2.0 is designed as an authorization protocol permitting a user to share access to specific resources with a service provider.

See Details
How do I authenticate my access token? ›

Token Authentication in 4 Easy Steps
  1. Request: The person asks for access to a server or protected resource. ...
  2. Verification: The server determines that the person should have access. ...
  3. Tokens: The server communicates with the authentication device, like a ring, key, phone, or similar device.

Get More Info Here
How do I get the validation token? ›

On your account dashboard, click on the "TechSoup Validation Tokens" tab. Use the links to access the tokens for the providers you need. Once on the page for the token you need, click on "Add new token".

Continue Reading
How is an access token verified? ›

An access token is meant for an API and should be validated only by the API for which it was intended. Identity Provider (IdP) access tokens do not require validation. Pass the IdP access token to the issuing IdP to handle the validation. For more information, see Identity Provider Access Tokens for details.

View More
Top Articles
Investing in Platinum
What is Address Resolution Protocol (ARP)? - zenarmor.com
Woodward Avenue (M-1) - Automotive Heritage Trail - National Scenic Byway Foundation
Gamevault Agent
Mackenzie Rosman Leaked
Obituary (Binghamton Press & Sun-Bulletin): Tully Area Historical Society
Emmalangevin Fanhouse Leak
Gw2 Legendary Amulet
Elle Daily Horoscope Virgo
Christina Khalil Forum
VMware’s Partner Connect Program: an evolution of opportunities
Quest Beyondtrustcloud.com
Lcwc 911 Live Incident List Live Status
Tamilyogi Proxy
Craigslist Southern Oregon Coast
Nordstrom Rack Glendale Photos
Evil Dead Rise - Everything You Need To Know
Nhl Tankathon Mock Draft
Uta Kinesiology Advising
Understanding Genetics
Veracross Login Bishop Lynch
Yisd Home Access Center
The EyeDoctors Optometrists, 1835 NW Topeka Blvd, Topeka, KS 66608, US - MapQuest
Prey For The Devil Showtimes Near Ontario Luxe Reel Theatre
Horn Rank
European Wax Center Toms River Reviews
Scott Surratt Salary
John Philip Sousa Foundation
Salemhex ticket show3
How to Use Craigslist (with Pictures) - wikiHow
Panchitos Harlingen Tx
Acadis Portal Missouri
Tds Wifi Outage
The Syracuse Journal-Democrat from Syracuse, Nebraska
Bismarck Mandan Mugshots
Raising Canes Franchise Cost
Fototour verlassener Fliegerhorst Schönwald [Lost Place Brandenburg]
Suffix With Pent Crossword Clue
Cl Bellingham
Owa Hilton Email
Grand Valley State University Library Hours
Craigslist Binghamton Cars And Trucks By Owner
Elven Steel Ore Sun Haven
Rise Meadville Reviews
Tyco Forums
Dancing Bear - House Party! ID ? Brunette in hardcore action
Acuity Eye Group - La Quinta Photos
Sams La Habra Gas Price
Craigslist Psl
De Donde Es El Area +63
Ingersoll Greenwood Funeral Home Obituaries
Acellus Grading Scale
Latest Posts
FUT Rivals Rewards for FIFA 23 (Official)
Twelve Non-Recourse States Let You Walk Away From Your Mortgage
Article information

Author: Trent Wehner

Last Updated:

Views: 6594

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.