0

Lets say i have 5 applications and I have a common auth server. My applications redirect the page to auth server for the first time, gets back a JWT token and then allows the user to use the application further.

Now the user is ready to use the application, but the application's backend has no clue on whether the token is still valid or expired. So Am I supposed to make a validation call to my auth server every time an API in my application is called before processing the request? Is it not adding additional overhead (multiple hops) and impacts the response time of the application?

Is it possible for the application to check the validity of the token by itself without making a network call to the auth server? What are the best practices an application developer should follow while using an auth server for SSO?

Jinnah
  • 148
  • 10

1 Answers1

1

Is it possible for the application to check the validity of the token by itself without making a network call to the auth server?

  • Expiration: Include en exp claim into the token with the expiration date. Any client can decode the token and check the date

  • Signature: The client can verify the signature of the token to check if it comes from the expected server and trust the contained data. Then you would need to use an assymmetric keypair (e.g RSA)

What are the best practices an application developer should follow while using an auth server for SSO?

This question is opinion-based and is off-topic in StackOverflow. Could you be more specific about your doubts or include a programming issue?

Is SSO an overhead?

No, your application is clear example of why a SSO system is needed:

  • SSO: 5 apps ->1 user login
  • Without SSO: 5 apps -> 5 user logins
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Thanks pefrofb for quick response! Is it safe to rely on backend of client application decoding and validating the expiry date? How will the client application know if the token was not hacked? Regarding signature: Could you please point me to any reference article to understand it better? – Jinnah Jul 13 '18 at 08:51
  • It is safe if you can verify the signature of the token using the public key of the server, or the token has been acquired through a trusted connection to the server. I mean a SSL/TLS channel. See [this](https://stackoverflow.com/questions/49562581/when-to-use-rs256-for-jwt/49563397#49563397) and [this](https://stackoverflow.com/questions/42644792/verifying-jwt-tokens-rsa/42646281?s=2|48.1782#42646281) question to understand the difference between using symmetric or assymmetric keys – pedrofb Jul 13 '18 at 08:56