Tapkey Token Exchange returns access token for invalid user

Question

regarding tapkey token exchange flow: when exchanging a jwt token for an access token through https://login.tapkey.com/connect/token api, I get an access token response, even the user does not exist.

My jwt token contains of the following: Header:

{
  "alg": "RS256"
}

Payload:

{
  "algorithm": "RS256",
  "aud": "local",
  "iat": 1633339589,
  "exp": 1633343189,
  "iss": "tapkey",
  "sub": "NOT_EXISTING_USER_ID"
}

this raises the following questions:

when I create an IdentityProviderUser I get in return an id and an ipUserId. Should the jwt-token's "sub" be the returned id or should "sub" be the returned ipUserId? In both cases I am able to retrieve an access token, because regardless what I define in "sub" an access token is exchanged.
what happens when mobile tries to login with a not existing user's access token?

score 0 · Answer 1 · answered Oct 05 '21 at 13:30

For the token exchange itself it does not matter if the user already exists or not. It just validates your signed token and exchanges it with a token for the tapkey system.

The subject of your jwt token should be your assigned userId (= ipUserId) which also was/will be used to create the user: https://developers.tapkey.io/api/ip_users/#create-identity-provider-user

Ad 2: By default when a mobile tries to login in the tapkey mobile sdk with a token with an id, which was not created yet, will cause an error.

Tapkey Token Exchange returns access token for invalid user

1 Answers1