Router firewall and validating identity
We can control for how long cached responses are used, to mitigate the risk of accepting an expired or recently revoked access token.
For example, if an API client typically makes a burst of several API calls over a short period of time, then a cache validity of 10 seconds might be sufficient to provide a measurable improvement in user experience.
As we’ll see in a moment, the following solution has a fundamental flaw, but it introduces the basic operation of the to prevent external clients from accessing it directly.
Lines 11–14 define various attributes of the request so that it conforms to the token introspection request format.
Authentication is required for the Id P to accept token introspection requests from this NGINX instance. With this configuration in place, when NGINX receives a request, it passes it to the Java Script module, which makes a token introspection request against the Id P.
In this blog we describe how NGINX and NGINX Plus can act as an OAuth 2.0 Relying Party, sending access tokens to the Id P for validation and only proxying requests that pass the validation process.
We discuss the various benefits of using NGINX and NGINX Plus for this task, and how the user experience can be improved by caching validation responses for a short time.
It is supported by many of the leading Id P vendors and cloud providers.
Regardless of which token format is used, performing validation at each backend service or application results in a lot of duplicated code and unnecessary processing.