JWT token validation on reverse proxy


Jihun Ha <jihun.ha@...>
 

Greetings,

 

When I read the document (https://wiki.edgexfoundry.org/download/attachments/329467/18_03_14_ver_EdgeX-simple-jwt-auth-DRAFT.docx?version=1&modificationDate=1521118200000&api=v2) about reverse proxy and auth server, I had a little confiusion for validation JWT token on reverse proxy.

AFAIK, JWT has a capability to validate the received token by resource server without any  query to auth server or database, which can be done by self-containing information in JWT token.

So if reverse proxy is employed and API request with JWT token is sent to the reverse proxy, I think it can validate the token by itself without query to Authorization Server.

But Page 2~3 in the attached document describes that Reverse Proxy receives the JWT token and query the token to Authorization Server, which looks weird to me.

    

What am I missing now in this point? I'd appreciated if anyone correct me :)

 

Thank you in advance.

 

Best Regards,

 

Jihun Ha (하지훈/河志薰, Ph.D.)

Edge Platform Development | IoT Lab

Software R&D Center | Samsung Electronics Co., Ltd

Mobile +82 10 2533 7947

jihun.ha at samsung.com | jhha85 at gmail.com

 

 

Join EdgeX-TSC-Security@lists.edgexfoundry.org to automatically receive all group messages.