If endpoint-1 always triggers endpoint-2 which verifies the token I would
consider it secured, although indirectly.
Not sure what you mean about making endpoint-2 trust endpoint-1. Endpoint-2
doesn't directly trust endpoint-1, rather it trust the details from the
access token that endpoint-1 has retrieved. So in effect it trusts the user
of endpoint-1 rather than endpoint-1 itself.
On 4 October 2016 at 09:18, <Mohan.Radhakrishnan(a)cognizant.com> wrote:
Hi,
I have a general question about how we use JWT tokens.
Authentication: This is the most common scenario for using JWT. Once the
user is logged in, each subsequent request will include the JWT, allowing
the user to access routes, services, and resources that are permitted with
that token. Single Sign On is a feature that widely uses JWT nowadays,
because of its small overhead and its ability to be easily used across
different domains.
That seems to be our scenario. AFAIK there is no OAuth/OpenID in this
system.
Our JWT token from the browser is sent in a header to Rest Endpoint-1.
This endpoint isn't secured. I mean that it can't verify the claims in the
token. The claims don't represent any information related
To this endpoint. It just passes the token along to Endpoint-2 which is
capable of verifying the token.
Is this Endpoint-1 considered insecure now ? It is just a mediator but
anyone with the token can access it. How do I make Endpoint-2 trust
Endpoint-1 ?
Thanks,
Mohan
This e-mail and any files transmitted with it are for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. If you are not the intended recipient(s), please reply to the
sender and destroy all copies of the original message. Any unauthorized
review, use, disclosure, dissemination, forwarding, printing or copying of
this email, and/or any action taken in reliance on the contents of this
e-mail is strictly prohibited and may be unlawful. Where permitted by
applicable law, this e-mail and other e-mail communications sent to and
from Cognizant e-mail addresses may be monitored.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user