Access Token verification about fosite HOT 8 CLOSED

Fosite does not make implications how you handle this because Fosite does not know your requirements and environment. Additionally, OAuth2 does not specify how resource servers validate the issued tokens.

There are multiple ways to handle token validation:

• Use JWT with asymmetric cryptography
• Define your own token generation strategy
• Do a database lookup, using for example Storage.GetAccessTokenSession. This is neccessary if you use token revokation.

Depending on your use case, you can chose one or multiple of the things above. It would however be a good idea to have a validation example in the exemplary app. If you want to, give it a shot and create a PR - that's the best way to learn :)

from fosite.

If you use HMAC as token strategy, a client-side cryptographic validation of the tokens is not possible because you need both the global secret and the client secret. In that case a database lookup would be best.

from fosite.

I'd definitely send a PR once I figure things out. But I think I might still not be getting the concepts right. I'm very new to OAuth in general, just getting started.

from fosite.

I see :) OAuth2 can be very tricky, especially with so many different workflows and extensions. If you need help, feel free to ask any time.

from fosite.

I took a little time to think about this issue and there must be a standard way for validating tokens. I will think about this issue over the next few days and hopefully come up with a good, extensible solution.

from fosite.

I will see if i have time to fix a simple middleware example that is able to validate the token using either a shared secret (via HMAC) or with Certificates (JWT, for more manageable security) in the coming day or two. :)

from fosite.

Nice @leetal !

from fosite.

This will be covered in #31

from fosite.