Saturday, July 11, 2020

OAuth2 and OpenID difference regarding JWT and token inspection endpoint

OAuth2 is a popular framework for authenticating user with third party identity provider (authentication server). Basically user first authenticates to the third party IDP to get grant code, and then the client or web app can request the access token with grant code from authorization server. Usually authentication server and authorization server are from the save third party id provider.

For OAuth2, access token is sent by the client app to resource server when the client requests the data from resource server, however, the oAuth2 does not specify the content or format of the access token. From resource server's point of view, it is just a simple string without any special information for the client who sends the request. So the resource server must contact authorization server to validate the access token in order to find out whether it can give the permission to the client request. This is why oAuth2 authorization server needs to expose a token introspection endpoint url for resource server to validate the token. 

With Oauth2 token introspection endpoint, OAuth2 authorization server can support single sign off, as authorization server can invalidate an issued token at anytime, and return failure for all following token validation requests sent from resource server.

However, it is not very efficient if resource server needs to send a token validation request to authorization for every client side resource request. That is what has been improved by OpenID. which is built on top of OAuth2.

OpenID introduces JWT (json web token) to represent the token format, so it includes all the required information that resource server needs to know in order to decide whether it should accept the client request or not, so there is no need to send an extra request to token introspection server for this purpose.

JWT is a based 64 encoded json string containing user id information, grant scope, token expiration time, and signing algorithm, and signing signature. Note the information included in token are not confidential, so anyone can read it. However, since the token is digit signed with authorization server's private key, can be easily verified by anyone using the authorization server's public key, so the token cannot be changed by someone for malicious purpose. 

JWT has significantly simplified the token validation logic, as the authorization server can just create a token and then digit sign it, and forget about it. Anyone gets the token can validate the token by just using the authorization server's public key, without actually communicating with authorization server. One drawback of OpenID is there is no simple way to support single sign off, as once a token is singed and sent out by authorization server, it will be always accepted by resource server until the token is expired.

 


No comments:

Post a Comment