![]() A discovery endpoint returns information about the server’s configuration in JSON format. If the authorization server supports OpenID Connect Discovery 1.0, resource servers can find the URL of the JWK Set document in a response from the discovery endpoint of the authorization server ( /.well-known/openid-configuration). If the authorization server provides an endpoint that exposes its JWK Set document ( RFC 7517) and the document includes a public key whereby to verify signature of access tokens, resource servers can download the public key from the endpoint. The resource server necessarily has to obtain the public key of the authorization server in advance before performing signature verification. Asymmetric Signature AlgorithmĪn authorization server signs an access token with a private key, and a resource server verifies the signature using a public key exposed by the authorization server. It may work, but I’m not so sure that mixing different concepts won’t cause inconsistencies somewhere unexpected in future. By treating resource servers as clients, the existing rules and infrastructure for keys can be reused. Some authorization server implementations issue pairs of client ID and client secret to resource servers. ![]() ![]() ![]() Therefore, implementers have to decide their own rules as to how to determine a shared key if they want to use symmetric algorithms for signing access tokens. ![]() No Rule for Shared Key between Authorization Server and Resource Server ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |