Seperate Authorisation and resource server for openId Connect + OAuth

1
votes

I will be using a OAuth and openId connect. My application will be having a separate authorization server and resource server. I want to implement a POC. I have few questions: 1. How to store the received access token in my application? what is best option? to store in DB or session / cookie? 2. How will the resource server validate the access token generated by authorization server? 3. How to implement session management in my application? I read that openId connect is stateless, but to validate the token I need to maintain session, very confused.

I have read a lot but could not find this scenario where Authorization and resource server are separate.

1
oauthopenid-connect
Did you ever get this working? My authorization and resource servers are also separate and I cannot figure out how to use a token from the auth server to access my resource server.nitewulf50

1 Answers

0
votes
  1. Access tokens are usually short lived. This is done for security purposes to avoid MITM attacks. So in my opinion, unless you are using long lived tokens for some reason(in which case its better to use a database), the best option would be to store the access token in the server session or cookies.
  2. There are basically two ways to do this. Either you invoke the introspection endpoint of the authorization server(IdP) with the access token through resource server, or you can verify the token in the resource server itself using a library(nimbusds, auth0) by validating the token signature and claims. The recommended one is the second option because if there are several resources trying to validate tokens using introspection, the overhead would be too high. Also, some IdPs don't allow introspection through bearer tokens which could be problematic in the case of a public client(no client secret to use in client credentials).
  3. I guess this depends how you application works. If you are using something like servltes, you can store the tokens in server session or cookies through the client application. When the tokens are sent to the resource server they should be send within the request header under Authorization parameter. Not exactly sure about this one.

Hope this helps. Cheers.