Explain Offline Token validation vs Online Token validation in Open ID connect ? Advantages, limitations & tradeoffs

3
votes

In a pursuit to develop a Open ID connect model for existing applications and back-end services, I am confused to choose whether Offline vs Online JSON token validation for ID Token & Access token.

My Open ID Provider : KeyCloak

My Question is around the idea about Token Validation, So I am not discussing the implementation details.

As per OIDC (Open ID Connect),

ID token will be issued to the service that is requesting resource once authenticated

and now on the resource server side is it really necessary to verify the token with Open ID Provider (Keycloak) or offline validate the Token based on the public key.

If I go for Offline model of token validation - what are the potential implications / limitations i must face.

I am looking for ideal situations to choose the appropriate model & trade-offs discussed.

3
oauth-2.0jwtaccess-tokenopenid-connectkeycloak

3 Answers

5
votes

The only advantage of online validation is the possibility that user rights are revoked in the meantime. With offline validation you have proof that token is issued by your Keycloak and that nobody tampered it. Online validation for every request would be too much.

For example, a click in the frontend can result in many api calls and there is no benefit in creating dozen rest requests to Keycloak in the same second. Recommendation is to keep token lifetime shorter.

You could implement token caching and validate token online in some short periods, but what’s the point if you can just lower token lifetime in the Keycloak.

So to conclude, validate the token offline for the timeout duration ( say 5 minutes - should be configurable based on the use case) and beyond the period issue new token.

0
votes

Token validation is one aspect but it is not a complete security solution. You will often find that you need data from both the token and other sources to authorize access to resources properly.

So your solution depends on how you want to authorize and also on non functional requirements such as availability and performance.

My personal preference is offline due to its separation of concerns - see my write up for further details.

0
votes

on the resource server side is it really necessary to verify the token with Open ID Provider (Keycloak)

yes, you must validate ID token as defined by OpenID Connect(OIDC) protocol. Token validation have many steps, but mostly involved in signature validation, issuer validation. Once this is done you can say ID Token to valid and hence mark end user to be authenticated. This is the core principal in OpenID Connect.

Regarding offline, validation on public key is sufficient. For example, this means when your authorization server change key chain (which is rare and done when there's a security breach), you have to somehow update your key again.

Also, there exists JWT encryption (RFC7516), which adds an extra layer of security for token validation (if you are concerned about security). But if I am correct KeyCloak doesn't support this.

Advantage of online validations

You always rely on authorization server to verify the token validity.

Disadvantage of online validations

You create more traffic for authorization server. Also your application server require one more API calls.

Regardless you always need public key of authorization server.