Disclaimer: I am new to IdentityServer. Currently experimenting with IdentityServer4.
We have a Webserver with C# webservices which should be accessible only to authorized users. We want to use IdentityServer4 to issue JWT Access Tokens.
Partners are accessing the token endpoint to get the JWT Token. Our backend webservices are receiving the token and then make a call to the discovery endpoint on the identity server to decrypt the token.
I do not understand how this is secured.
I only want my internal backend applications to use it.
Thanks for the help!
The discovery endpoint (.well-known/openid-configuration) hosts what is known as the discovery document. In a nutshell for most practical purposes, OpenIDConnect clients might use this document to configure themselves against the OpenIDConnect provider.
In general terms, some clients, regardless of implementation platform, be it .NET Java or Python might want the discovery document in order to do token validation against tokens which were supposedly issued by the security token server.
Lets take a look at Googles discovery document for example which can be found here you'll notice that this is a pretty standard discovery document however they have some custom values for each of the keys in this document. They support RS256 only for token signing and they support a whole whole lot of openid connect flows inferred by the response_types_supported key in this document. This document can straight up give any client relying on this OpenIDConnect provider with a lot of information without having to do some convoluted protocol pre-amble.
Finally with respect to your questions regarding security. You do need to publish the discovery endpoint. the jwks_uri is the uri of your OpendIDConnect provider that contains your JSON Web Key Set, this is a set of security materials (normally public or shared keys) that are used to verify tokens in the validation process.
You can also use the introspection endpoint (located through the discovery document) to validate tokens. You don't decrypt the tokens, they are just validated. The tokens are encrypted by virtue of SSL. So if you want to you can use the introspection endpoint to validate tokens but that means that you are adding that round-trip call to validate tokens on-top of every request that uses the JWT bearer token.
In short, the discovery document is quite important, it contains security materials that can allow you to do JWT validation without doing an out of band call.