Is there any way that when the OAuth client get the JWT token from identity server is OK or not?
I afraid the when user get the access_token and try to use base64 to decode it then users can modify the token string .
My scenario is : I have two web portal A and B both of them integrated the Thinktecture identity server. User A just can access portal A with "role:portalA" claim but couldn't access portal B if user A try to login portal A and get the access_token then user A add the "role:portalB" into the the access_token then encode with base64 again. then the modified access_token pass to the Portal B, I afraid that user A could access portal B. so I have to check the access_token to Identity server again. is that any way to validate this access_token ? or this situation will not be happened?
I believe Thinktecture Identity Server has an endpoint for this at (baseurl + "/core/accessTokenValidation?token=" + access_token).
example:
GET request to: http://localhost:3333/core/accessTokenValidation?token=aEdhoi23hlv2khdf2lkhfv4pv....
If the access_token is valid, it should return a 200 response, otherwise it'll return a JSON error message {"error":"invalid_token"} and a 4XX response.
You should wire up a call to this service to validate tokens, then cache the response.
Take a look at the source code: https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Endpoints/Connect/AccessTokenValidationController.cs