FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How is Token validation performed?

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    2
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      benlabbe2007
      last edited by

      Reading through the ASP.NET backend setup for FusionAuth, in terms of configuration settings, this is all that's required:

      "Authentication": {
    "Schemes": {
      "Bearer": {
        "Authority": "http://localhost:9011",
        "ValidAudiences": [
          "e9fdb985-9173-4e01-9d73-ac2d60d1dc8e"
        ]
      }
    }
  }

      Because there's no client secret, I'm wondering how the token is validated without the api server needing to communicate with the FusionAuth authorization server? Should the ValidAudience uuid be considered sensitive data?

      Thanks!

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @benlabbe2007
        last edited by

        @benlabbe2007: So in this example, the token is generate with the api password
        this_really_should_be_a_long_random_alphanumeric_value_but_this_still_works.

        The following request is sent to the FusionAuth server and returns the signed JWT.

        curl --location 'http://localhost:9011/api/login' \
--header 'Authorization: this_really_should_be_a_long_random_alphanumeric_value_but_this_still_works' \
--header 'Content-Type: application/json' \
--data-raw '{
  "loginId": "customer@example.com",
  "password": "password",
  "applicationId": "e9fdb985-9173-4e01-9d73-ac2d60d1dc8e"
}'

        That password is sensitive and you would not share that for a production environment.

        In the example, you pass the token you received from the above call to the api server. The Microsoft.ASPNetCoreAuthentication.JweBearer validates the JWT by default. Since the JWT is signed, we can assume it has not been tampered with. It is possible to add custom validation criteria for special cases if needed.

        The ValidAudiences UUID should not be considered sensitive as it is contained in the JWT and anyone with access to the JWT can see it.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post