OAuth-2.0 resource servers token validation in distributed environment

1
votes

I'm going to make a REST web service with many resource servers (implemented in different programming languages) and one authorization server.

My question is about token validation in the resource servers. Let's say that a resource server cannot connect to the database and check the token info there.

I have read this thread: OAuth v2 communication between authentication and resource server

And I like the idea to make an API in the authorization server, which will be responsible to "resolve" tokens. For example: https://oauth.example.tdl/tokeninfo?token=tokentovalidate

So my question: Should the /tokeninfo resource be "public"? I mean everyone who knows this endpoint will be able to validate tokens..

Wouldn't it be better to make this "private"? I mean https://oauth.example.tdl/tokeninfo?access_token=valid_token&token=tokentovalidate

But then my resource server will have to authorize itself before validating tokens.. too many requests, I think..

If you know more strategies to validate tokens between resource server and authorization server - tell me, because I'm pretty new to OAuth.

1
web-servicesoauth-2.0authorization

1 Answers

2
votes

Should the token verification API be public?

In terms of authentication, if should of course be an authenticated API, and the access token that you use to call it is the access token you want to verify. RFC 6750 explains how to do that. Typically, the token is sent in the Authorization header, or as a Uri query parameter.

Alternatively, for more security, you require the client id and client secret to secure the call, either by passing them as parameters, either by obtaining an access token for the client using the Client Credentials Grant.

Be careful what information you return from the API. You should only return information that does not require a specific scope that has to be authorized by the resource owner.

For a real life example, see the Google implementation or the implementation from The Identity Hub. For the Facebook implementation, see the section "Confirming identity" on Manually Build a Login Flow.