Following this Browser Based OAuth when the request comes back to my site, https://oauth2client.com/cb#token=ACCESS_TOKEN, how do I validate that the access token is real to let them into the application?
Does the web application server do a request to the oauth2server to prove the user hasn't just faked an access token?
Using the System.IdentityModel.Services.WSFederationAuthenticationModule does it do a request to get the user Claims? I just need to know the Claims of the user are real, and don't need access resources from the OAuth server.
The implicit grant OAuth flow is typically used by HTML5/JS Single Page Apps that make AJAX calls directly to WebAPIs, using the access token that they receive over the fragment.
The JavaScript app doesn't need to validate the token - the WebAPI that it calls must. The WebAPI (if written in .net) can use the JWT Token Handler, or the new OWIN framework (a sample is here: https://github.com/AzureADSamples/SinglePageApp-DotNet).
If your WebAPI technology doesn't have a JWT token handler available and you need to hand wiring the handling, make sure to validate:
- Audience of the token (the token has been issued for your API)
- Issuer of the token (the token has been issued by the trusted authority for the resource)
- Signature of the token (the token has indeed been signed by the issuer - validate using the public key of the token signing key published by the issuer)
- The token hasn't expired
- OAuth Scope (scp)
- then validate other claims that you base your authorization on
