3

Is there any way that when the OAuth client get the JWT token from identity server is OK or not?

I afraid the when user get the access_token and try to use base64 to decode it then users can modify the token string .

My scenario is : I have two web portal A and B both of them integrated the Thinktecture identity server. User A just can access portal A with "role:portalA" claim but couldn't access portal B if user A try to login portal A and get the access_token then user A add the "role:portalB" into the the access_token then encode with base64 again. then the modified access_token pass to the Portal B, I afraid that user A could access portal B. so I have to check the access_token to Identity server again. is that any way to validate this access_token ? or this situation will not be happened?

Aggis Wu
  • 99
  • 1
  • 10

2 Answers2

4

I believe Thinktecture Identity Server has an endpoint for this at (baseurl + "/core/accessTokenValidation?token=" + access_token).

example: 

GET request to: http://localhost:3333/core/accessTokenValidation?token=aEdhoi23hlv2khdf2lkhfv4pv....

If the access_token is valid, it should return a 200 response, otherwise it'll return a JSON error message {"error":"invalid_token"} and a 4XX response.

You should wire up a call to this service to validate tokens, then cache the response.

Take a look at the source code: https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Endpoints/Connect/AccessTokenValidationController.cs

Laura Weatherhead
  • 47
  • 1
  • 7
Ray P
  • 56
  • 2
4

Thinktecture IdentityServer3 has different endpoint.

More details in official documentation: https://identityserver.github.io/Documentation/docs/endpoints/accessTokenValidation.html

Example:

GET /connect/accesstokenvalidation?token=<token>

A successful response will return a status code of 200 and the associated claims for the token. An unsuccessful response will return a 400 with an error message.

Vincenzo
  • 173
  • 2
  • 8