JWT signature's verification at resource-server side

2
votes

According to this and this there are two ways to validate the JWT token:

  1. Using RemoteTokenServices which basically calls /check_token endpoint of oauth server, retrieves the whole token and compares it
  2. Expose public key at oauth server and verify the JWT's signature at resource server

At the beginning I tried the first way but since I use custom token converter which hits the database every time token being generated, I decided to switch to signature verification at resource side - didn't want to get an additional database call per every client request.

After some investigation I realized that ResourceServerTokenServices (interface describes token retrieval, conversion and generation a valid OAuth2Authentication object) has only two default implementations: DefaultTokenServices which is primary used in case of oauth and resource servers are parts of the same application and RemoteTokenServices which was described in first approach.

So the main question is whether spring-oauth2 really hasn't default implementation of JWT signature verification or I just couldn't find one?

1
springoauth-2.0jwtspring-security-oauth2
Have you found a solution to these, I'm also struggling to check the signature with Spring Oauth JWT tokens. - dplesa
@dplesa I did. Actually I used the answer of Cristian Sevescu - nKognito

1 Answers

1
votes

You do not need a JWT specific ResourceServerTokenServices, so the DefaultTokenServices should do fine. Most of the implementation specific details are sent to the store, so as long as you have a JwtTokenStore configured correctly there should be no issue.

Here :

The Resource Server also needs to be able to decode the tokens so the JwtTokenStore has a dependency on a JwtAccessTokenConverter, and the same implementation is needed by both the Authorization Server and the Resource Server. The tokens are signed by default, and the Resource Server also has to be able to verify the signature, so it either needs the same symmetric (signing) key as the Authorization Server (shared secret, or symmetric key), or it needs the public key (verifier key) that matches the private key (signing key) in the Authorization Server (public-private or asymmetric key). The public key (if available) is exposed by the Authorization Server on the /oauth/token_key endpoint

You can extend JwtAccessTokenConverter to access once the Authorization Server for the exposed public key.