I have a simple question about SSO flow with JWT
Let's say we have separate Authorization Server, which provides the JWT to the client app/server and Resource server, where client trying to access with that token.
The question is, should Resource server validate token by itself (e.g. share private certificate with Auth Server) or should it request Auth Server to validate JWT for each client request?
The JWT specification was built with scalability in mind. The purpose of JWT's design is that any trusted app can validate a the signature block. If you care about performance then use a SHA-256 HMAC and validate the signature locally on each endpoint with a shared secret. Using an asymmetric signature for JWT creates overhead, but you can store the public key on endpoints that verify but not issue JWT, and then the private key on the central authority that issues tokens. This separation of concern between validation and issuing reduces the possibilities that the token creation process can be subverted by an adversary (Read: Defense-in-depth).
If you need to revoke tokens in real time, then need a central authority which validates each token. This works, but it defeats the purpose of JWT's design, and the system would be better off just issuing a cryptogrpahic nonce as the token.
