Morioh
Login
Jim Michael

Jim Michael

3 years ago

The topic of validating an OAuth 2.0 access tokens comes up frequently on the Okta developer blog. Often we talk about how to validate JSON Web Token (JWT) based access tokens; however, this is NOT part of the OAuth 2.0 specification. JWTs are so commonly used that Spring Security supported them before adding support for remotely validating tokens (which is part of the OAuth 2.0 specification.)

In this post, you will build a simple application that takes advantage of both types of validation.

Table of Contents

  • Should I Validate Access Tokens Locally or Remote?
  • Validate Access Tokens Locally and Remotely!
  • Create a New Spring Boot Application
  • Configure Spring Security to Validate JWTs and Opaque Tokens
  • Better JWT Validation
  • Configure and Run Your OAuth 2.0 Application
  • Get a Token with the OIDC Debugger
  • Learn More About Secure Applications

Should I Validate Access Tokens Locally or Remote?

Whether you should validate access tokens locally (e.g., a JWT) or remotely (per spec) is a question of how much security you need. Often, people jump to, “I need all of the securities!” This statement simply isn’t true—how much security you need should be balanced with other factors like ease of use, cost, and performance.

There is no such thing as perfect security, only varying levels of insecurity. —Salman Rushdie

The biggest downside to validating a token locally is that your token is, by definition, stale. It is a snapshot of the moment in time when your identity provider (IdP) created the token. The further away you get from that moment, the more likely that token is no longer valid: it could have been revoked, the user could have logged out, or the application that created the token disabled.

Remotely validating tokens are not always ideal, either. Remote validation comes with the cost of adding latency in your application, as you need to add an HTTP request to a remote server every time you need to validate the token.

One way to reduce these concerns is to keep the lifetime of an access token short (say 5 minutes) and validate them locally; this limits the risk of using a revoked token.

There is another option: do both!

#jwt #spring-boot #security #web-development #developer

JWT vs Opaque Access Tokens: Use Both With Spring Boot

scotch.io

JWT vs Opaque Access Tokens: Use Both With Spring Boot

JWT vs Opaque Access Tokens: Use Both With Spring Boot. Often we talk about how to validate JSON Web Token (JWT) based access tokens; however, this is NOT part of the OAuth 2.0 specification. JWTs are so commonly used that Spring Security supported them before adding support for remotely validating tokens. Should I Validate Access Tokens Locally or Remote? Validate Access Tokens Locally and Remotely! Create a New Spring Boot Application. Configure Spring Security to Validate JWTs and Opaque Tokens. Better JWT Validation. Configure and Run Your OAuth 2.0 Application. Get a Token with the OIDC Debugger.

18.10 GEEK