Offline Access Token Validation

Estimated time: 5–10 minutes

What You Will Accomplish

In this guide, you will validate an Access Token issued by Mekarge A3 by validating the JWT signatures and testing token claims. All Access Tokens in Mekarge A3 are issued in JWT format. Depending on the Access Token Signing Algorithm type of the Environment, JWT signatures can be validated either using symmetric or asymmetric keys. This method is also called "Offline validation".

This approach is significantly faster than calling the Introspection endpoint, although it does not provide point-in-time validation.

This guide demonstrates how to validate Access Tokens signed with asymmetric keys by retrieving public keys directly from the JWK Set Document Endpoint, without requiring a prior secret exchange.

At the end of this tutorial:

You will validate an Access Token using a Python-based validator tool.

Quick Concepts

Client	Represents the web application
Resource	Represents a protected API

Read more about Architecture and Concepts in Mekarge A3 documentation.

Prerequisites

Quick Start Steps

Set Up Environment

⚠ Notes

Ensure RSASSA-PKCS1-v1_5 using SHA-256 is set as the Access Token Signing Algorithm type

Authorize Machine-to-Machine Application

Tooling

git to clone the example repo

Language Tooling

Python 3.x to run the web application
pip to install the dependencies

Obtain the Access Token to Validate

1Request Access Token to Validate

Obtain a fresh Access Token for the Client using the final step from the "Authorize Machine-to-Machine Application" guide
Save Access Token to token.txt file

💡 Hints

Access Token is given by access_token attribute in response JSON

Clone Tool Repository

2Clone Repository

Run the following command to clone the Token Validation Tool repository


git clone https://github.com/mekargeoss/a3-ri-webapp-python

3Install Dependencies

Run the following commands to install dependencies


python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Validate Token

4Get Issuer Path

Navigate to Environments
Click ⋮ at the end of the current Environment and select View Details
Export Issuer Path to ISSUER_PATH environment variable


export ISSUER_PATH=

Run the following command to validate the Access Token using the tool


python app/main.py \
  --issuer-path "$ISSUER_PATH" \
  --token-file token.txt

Summary

What Happened?

Validator tool first validated the JWT signature by:

Calling the OpenID Configuration Endpoint and JWK Set Document Endpoint respectively to fetch JWK set.
Validating the JWT signature via the public key shipped in JWK set.

After the JWT signature is verified, the validator tests several JWT claims such as iss, exp and others.

Key Takeaways

All Access Tokens in Mekarge A3 are issued in JWT format.
JWT signatures can be validated offline.
Offline validation avoids Introspection calls and improves performance.