DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workkloads.

Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • MuleSoft OAuth 2.0 Provider: Password Grant Type
  • The Evolution of User Authentication With Generative AI
  • API and Security: From IT to Cyber
  • Optimizing GitHub Access Management for Enterprises: Enhancing Security, Scalability, and Continuity with Jenkins GitHub App Authentication and Load Balancing

Trending

  • Evolution of Cloud Services for MCP/A2A Protocols in AI Agents
  • Event-Driven Architectures: Designing Scalable and Resilient Cloud Solutions
  • Recurrent Workflows With Cloud Native Dapr Jobs
  • AI, ML, and Data Science: Shaping the Future of Automation
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. OAuth2 Tips: Token Validation

OAuth2 Tips: Token Validation

There is a lot to learn about OAuth 2 and token validation — let's take a closer look.

By 
Nelia Loginova user avatar
Nelia Loginova
·
Jan. 11, 19 · Presentation
Likes (17)
Comment
Save
Tweet
Share
70.1K Views

Join the DZone community and get the full member experience.

Join For Free

Bearer Token Types

There are two types of OAuth2 bearer tokens:

  • General Token that represents a string that has no meaning for the client (e.g., 2YotnFZFEjr1zCsicMWpAA). That type of bearer token cannot be validated by the Resource Server without direct communication with an Authorization Server.
  • JWT Token represents the JSON object with statements (claims) about the user and token. The JWT token contains three separate parts: header, payload, and signature — each of them are base64-encoded for transferring. JWT tokens are not a part of core OAuth2 specification but mandatory for use with OpenID Connect. JWT token is the most popular way to exchange information about current authentication between microservices. More details can be found here.

Token Validation Methods

OAuth2 tokens can be validated using the following methods:

  • Introspection. This is a method to get actual token information via special endpoint directly from the Authorization Server. Token information usually includes token type, status (active or not), user, client identifier, available OAuth2 scopes, and expiration time. A detailed description can be found in the specification https://tools.ietf.org/html/rfc7662 .The method requires direct interaction with Authorization Server for every token validation. It has high safety but low performance.
  • Token validation by signature (JWT tokens only). This is a method when the token is validated according to its cryptographic signature and all required token information is received from token itself. It means that token validity is verified without interaction with an Authorization server, and if the token was revoked before its expiration, we’ll never know about it. So, this method is fast but less secure than introspection.

Put Them Into Practice

Let’s imagine that we have an application that has microservice architecture. It has several frontends, mobile applications, API Gateway, and a lot of different useful backends.

As we follow microservice architecture principles, we move authentication functions to a separate service. It is called Authorization Server in OAuth2 terminology.

Frontends and mobile applications successfully delegate authentication to the Authorization Server. As a result of an authentication process, they get an access token that can be used to call our backend services. So what’s next?

Option 1. Secure API Gateway

API Gateway is usually a central entry point to the system, so at that point, we can verify all incoming requests and decide whether they go further or not. The main idea of that approach is to apply strong validation on API Gateway and light validation on backends.

Implementation details:

  • API Gateway verifies access token for all incoming requests via introspection. This approach guarantees that the token is valid, not expired or revoked.

  • Every backend service validates access token only by signature.
  • Some services that have strong security requirements (e.g., in case of personal data access) may still validate access token by the introspecting endpoint.

That option allows getting a good balance between security requirements and system performance.

Option 2. Introspection Only

In some architectures, the API Gateway doesn’t have additional functions or there is no API Gateway at all. So, the only possible way is to verify access token on the backends.

Implementation details:

  • Every backend service should validate the access token via introspection. Only introspection guarantees that the token is valid, not expired or revoked.

This approach adds one additional call for each service invocation. It can cause performance problems depending on real system architecture.

Summary

JWT token is the standard way to pass authentication between microservices. The token can be verified via introspect endpoint or by signature. The most common way to build built-in token verification into the system is to introspect the token on the API Gateway and verify the signature on other services. If we cannot add additional security functions on API Gateway, the token should be introspected on every service. Of course, other token validation combinations are also possible under specific conditions; a particular choice between the methods should be done according to system architecture and security requirements.

authentication security

Opinions expressed by DZone contributors are their own.

Related

  • MuleSoft OAuth 2.0 Provider: Password Grant Type
  • The Evolution of User Authentication With Generative AI
  • API and Security: From IT to Cyber
  • Optimizing GitHub Access Management for Enterprises: Enhancing Security, Scalability, and Continuity with Jenkins GitHub App Authentication and Load Balancing

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!