How to Validate JWT Token issued by Thinktecture identity server?

Question

Is there any way that when the OAuth client get the JWT token from identity server is OK or not?

I afraid the when user get the access_token and try to use base64 to decode it then users can modify the token string .

My scenario is : I have two web portal A and B both of them integrated the Thinktecture identity server. User A just can access portal A with "role:portalA" claim but couldn't access portal B if user A try to login portal A and get the access_token then user A add the "role:portalB" into the the access_token then encode with base64 again. then the modified access_token pass to the Portal B, I afraid that user A could access portal B. so I have to check the access_token to Identity server again. is that any way to validate this access_token ? or this situation will not be happened?

Answer 1

I believe Thinktecture Identity Server has an endpoint for this at (baseurl + "/core/accessTokenValidation?token=" + access_token).

example:

GET request to: http://localhost:3333/core/accessTokenValidation?token=aEdhoi23hlv2khdf2lkhfv4pv....

If the access_token is valid, it should return a 200 response, otherwise it'll return a JSON error message {"error":"invalid_token"} and a 4XX response.

You should wire up a call to this service to validate tokens, then cache the response.

Take a look at the source code: https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Endpoints/Connect/AccessTokenValidationController.cs

Answer 2

Thinktecture IdentityServer3 has different endpoint.

More details in official documentation: https://identityserver.github.io/Documentation/docs/endpoints/accessTokenValidation.html

Example:

GET /connect/accesstokenvalidation?token=<token>

A successful response will return a status code of 200 and the associated claims for the token. An unsuccessful response will return a 400 with an error message.