1

I have Oauth2 implemented in my application to protect API calls. My Oauth and resource server are on two separate physical boxes(but on same network). For each call on resource server it needs to call Oauth server for Oauthtoken validation.

I have millions of request coming to my resource server in a day. Currently to validate Oauth token I am using rest call from resource Server to Oauth Server.

Is there a way to make this faster as each and every call needs to be redirected to Oauth server? Can webSockets solve this problem?

wizneel
  • 301
  • 1
  • 2
  • 10
  • Not an expert, but figure 2 in https://tools.ietf.org/html/rfc6749 does not show any communication between resource server and authorization server. The resource server should be able to validate the access token without extra communication, I think. – BitTickler Apr 23 '16 at 16:49

1 Answers1

0

If you don't need to revoke individual access tokens, you can use stateless (JSON Web Token) JWT tokens. JWTs don't need to be validated on the authorization server. As long as the JWT token is signed by the authorization server (asymmetric cryptography), you can validate the token on the resource server itself using the authorization server's public key.

This makes for fast authorization (since it skips a server-to-server round trip) at the cost of easy revocability.

Note: you can also use a shared secret (symmetric cryptography) but then you need to make sure all the interested parties have the shared secret (and keep it secret).

Look into spring-security-jwt and https://jwt.io/

sdoxsee
  • 4,451
  • 1
  • 25
  • 60