Managing Tokens
Using UAA for Token Validation
UAA uses token based authentication, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. Token based authentication is required to develop secure applications that can only be accessed based on a security token that is generated for the user on authentication.
After generating an Access Token, the client accessing your application presents the bearer token to your application for authentication. Your application validates this token using UAA. A token can be validated in one of the following ways:
- Validate the token remotely using UAA
UAA provides an endpoint (
/check_token
) to validate an access token coming from a resource server. For more details on the endpoint, see UAA Documentation. - Validate the token locallyPredix platform provides a Java-based FastTokenService library to validate the token locally. FastTokenService performs the following tasks:
- Downloads and caches the UAA identity zone public key and uses this key to validate the token signature.
- Validates that the token is issued by a valid issuer.
- Validates that the token has not expired.
- Validates that the token is not issued for a future date.
For more information on FastTokenService library, see uaas-managing-tokens.html#task_495fba73-59fe-41a0-a8d4-753bcf33a211.
The type of token validation that you use depends on the validation needs of your application. For example, if you need to use token revocation, then you must use remote token validation. However if you only need to validate that the token has not expired, you can validate the token locally and minimize the network request to UAA. While remote validation offers complete validation support, the local validation is much faster and less taxing on the network.
The following table shows the different scenarios where remote and local validation can be used:
Validation Requirement | Remote Validation | Local Validation |
---|---|---|
Is the token tampered? | Yes | Yes |
Is the token expired? | Yes | Yes |
Is the token issued for a future date? | Yes | Yes |
Was the token revoked? | Yes | No |
Is the user still available and active? | Yes | No |
Is the token issued by UAA? | Yes | Yes |
Is the issuing application still available? | Yes | No |
Setting up Fast Token Validation
About This Task
In a typical security scenario, when your application uses UAA, the client accessing your application presents its UAA token issued for authentication. Your application redirects this token to UAA for validation. If your application requires frequent validation of these tokens, it can have an impact on the performance of the application. To mitigate this risk, you can use the Predix FastTokenService
library to fetch the UAA token signing key at startup and perform the validation. The FastTokenService
library is available through maven artifactory.
To use the FastTokenService
library,
Procedure
Configuring UAA to Set the Token Expiration Time
You can configure your UAA client to set the expiration time for tokens to regulate the process of token expiry.
About This Task
Depending on the authorization grant type, the tokens are assigned a default value. If needed, you can update the token expiry within a set range. To set the expiration time, you can use the Configuration tab in the UAA Dashboard.
Procedure
Viewing Token Details
You can use the UAA Dashboard to view the details of a token assigned to a client.