When and how should I validate a JWT issued by FusionAuth?
-
When and how should I validate a token issued by FusionAuth via a login process?
-
Validating the token on every new connection is considered best practice as it is the most secure.
There are two ways to validate a token. You can do it within your own application code leveraging a library that checks the signature and validates the claims (this only works when you sign your JWTs with a public key). Or you can do it by calling out to FusionAuth, and then validating the claims. For scalability/simplicity reasons, we recommend using the library unless there are reasons it won't work
By doing this server side using a library you no longer need to make the API call to FusionAuth to perform the validation. You would only need the public key of whichever signing key was used by FusionAuth. More on that here: https://fusionauth.io/docs/v1/tech/core-concepts/key-master#overview The public key is available via JWKS.
When using keys we also recommend you think about key rotation, explained in more detail here: https://fusionauth.io/docs/v1/tech/tutorials/key-rotation
If you decide on leveraging the endpoints (making a call to FusionAuth) for validation, here are a couple links that can be used depending on your scenario.
https://fusionauth.io/docs/v1/tech/apis/jwt#validate-a-jwt (proprietary)
https://fusionauth.io/docs/v1/tech/oauth/endpoints#userinfo (part of the OIDC standard)In both cases, you must validate the claims. Some are standard, as outlined here: https://fusionauth.io/learn/expert-advice/tokens/anatomy-of-jwt#claims-to-verify
But there may be app specific custom claims your code should verify too.