I am using Identity server 4 as identity provider.
After getting the token for a successful login, we pass this token to the resource server.
My question is how does the Identity Server provider at the resource server end validate the submitted token ?
When I observed the traffic using fiddler I didn't see any request submitting the token to the provider to check.
Which means Identity Server provider at the resource server end itself is validating the token ?
Then why do we need to provide Authority when it is not checking against it?
How does the identity server provider at resource end make sure it is issued by a valid token provider ?
JWT tokens are self-contained, and do not need a round-trip to verify that they are still valid with each use ... they are valid so long as they haven't expired, providing they haven't been tampered with which only involves signature checking.
You can set your client up though to request reference tokens (and set up your API to accept them), and these tokens will involve a round-trip every time they are used. You have the ability then to revoke tokens, which you can't do with JWTs.