Forum Discussion

Cirrocumulus

4 years ago

F5 Oauth server introspect JWT access token from external server

dear all, I already have setup a F5 as oauth client, F5 as oauth server (AS) and F5 as API gateway where F5 performs the introspect internally in its oauth database. So that is all working fine. ...

application delivery

BIG-IP Access Policy Manager (APM)

Cirrocumulus

4 years ago

The answer is to use the JWKS endpoint and verify the JWT kid signature value and perform a modulus check. So there is no need to contact the introspect endpoint.

https://medium.com/trabe/validate-jwt-tokens-using-jwks-in-java-214f7014b5cf

https://software-factotum.medium.com/validating-rsa-signature-for-a-jws-10229fb46bbf

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)