Better description about the ways to verify tokens to let developer decide based on characteristics

2025-03-25 19:47:16 +01:00 · 2025-03-25 19:47:16 +01:00 · 411bba57b2
commit 411bba57b2
parent 464031bd17
1 changed files with 17 additions and 5 deletions
--- a/src/main/resources/templates/index.jte
+++ b/src/main/resources/templates/index.jte
@ -166,7 +166,15 @@ scope: calendar</pre>
        different languages.
    </div>
    <p>
-        Fetch the public key from the authorization server to use for verification.
+        Public key verification can be done completely locally within the resource server. It does not require the
+        authorization server to be online since it sends no network requests, and it does not require slow credential
+        verification. It is however more complex to set up than the token introspection.
+    </p>
+    <p>
+        The following steps can, and probably should, be done once and the keys stored until there is a reason to update
+        them. If the resource server is presented with a <abbr title="JSON Web Token">JWT</abbr> that, in its header,
+        specifies a key that is not match the downloaded keys there is a high probability that the token is invalid.
+        If you register your client with the authorization server you will be contacted if the keys are updated.
    </p>
    <ol>
        <li>Download the metadata from <a href="/.well-known/oauth-authorization-server"><code>/.well-known/oauth-authorization-server</code></a></li>
@ -181,14 +189,18 @@ scope: calendar</pre>
    <ol>
        <li>Parse the header</li>
        <li>Find the key ID to determine what key was used to sign (<code>kid</code> parameter)</li>
-        <li>Find the key from the JWKS</li>
+        <li>Find the key from the among the downloaded keys in the JWKS</li>
        <li>Verify the signature</li>
    </ol>

    <h3>Token introspection</h3>
-    <div class="alert alert-warning">
-        This is <strong>not</strong> the recommended way to verify tokens, but it is an option.
-    </div>
+    <p>
+        Token introspection is a simple way to verify the token. It requires the authorization server to be online, and
+        it requires the resource server to send a network request to the authorization server. It is a fine choice for
+        low throughput services, for example if all you need is the subject when the end user logs in. However, using it
+        for a "standard" JSON over HTTP API is not recommended as it will add a lot of overhead and reliance on other
+        servers being online to every single request.
+    </p>
    <p>
        First you need to
        <a href="${springMacroRequestContext.getContextUrl("/admin/client/new")}">register your resource server</a> with