Validation of signed JWTs in an offline manner

[nscarlson]

I'm currently calling validateJWT() on every request from my microservices to validate the JWT. While I'm sure this may be a very lightweight request, but can FusionAuth provide advice or examples for, say, validating the token on some microservice without having to make requests to the auth server?

The current implementation of validateJWT() appears to make a network requests per invocation like so:

  validateJWT(encodedJWT: string): Promise<ClientResponse<ValidateResponse>> {
    return this.startAnonymous<ValidateResponse, void>()
        .withUri('/api/jwt/validate')
        .withAuthorization('Bearer ' + encodedJWT)
        .withMethod("GET")
        .go();
  }

[robotdan]

If you want to skip calling FusionAuth for each of these validation events, you can validate the JWT on your end.

If you configure a key pair (public + private) to sign your JWT, then the public key will be available in the JWKS. Many libraries exist that will validate JWTs using JWKS.

https://fusionauth.io/docs/v1/tech/oauth/endpoints/#openid-configuration
https://fusionauth.io/docs/v1/tech/oauth/endpoints/#json-web-key-set-jwks

[nscarlson]

Thanks @robotdan, these resources are exactly what I need.