Authorization/Session Management/Session Validation

JWT Authorizers

JWT authorizers provide a streamlined way to validate Descope tokens without using our Backend SDKs directly, especially useful in these scenarios:

  • Built-in API gateway integrations: If you're using API gateways like AWS API Gateway or GCP Cloud Endpoints, you can leverage their native OIDC JWT authorizers to automatically validate session tokens issued by Descope. This eliminates the need for additional custom validation logic or SDK integration
  • Interoperability through OIDC: Since OIDC is an open, widely adopted standard, using OIDC JWT authorizers ensures compatibility with third-party services and simplifies integration across your existing infrastructure

In contrast, consider using Descope's Backend SDKs when your use case requires custom token validation logic related to user management or authorization, that would go beyond standard token signature validation.

How JWT Authorizers Work

When using JWT authorizers with Descope, your application issues tokens that adhere to the OIDC standard.

These tokens contain claims that describe the user’s identity and permissions. The token is then passed to a cloud service, like GCP or AWS, which uses its built-in JWT authorizer to validate the token and authorize the request.

Key Steps in the Process:

  1. Token Issuance: Descope issues a JWT after successful authentication, embedding the necessary claims and metadata.
  2. Token Transmission: The JWT is sent with the request from the client to your backend or directly to the cloud service.
  3. Token Validation: The cloud service’s JWT authorizer validates the token, ensuring it’s correctly signed and not expired, and that the audience matches.
  4. Authorization Decision: Based on the token’s claims, the cloud service decides whether to allow or deny the request.

Use Cases

1. Serverless Applications

In serverless architectures, where the backend logic is distributed across various services, using a JWT authorizer ensures that each service independently validates tokens without relying on a central backend.

2. Microservices

In a microservices architecture, where different services may be developed and deployed independently, JWT authorizers enable consistent token validation across all services, even if they are written in different languages or hosted on different platforms.

3. API Gateways

API Gateways often include JWT authorizers to secure API endpoints. By using an authorizer with Descope tokens, you can enforce authentication and authorization at the gateway level, ensuring that only valid and authorized requests reach your services.

Setting Up JWT Authorizers with Descope

To set up JWT authorizers with your cloud provider, follow these steps:

  1. Configure Descope to issue OIDC-compliant JWTs. You can do this with JWT Templates.
  2. Set up the JWT authorizer in your cloud service (e.g., AWS API Gateway, GCP API Gateway).
  3. Specify the token issuer and audience to ensure the authorizer validates Descope tokens correctly.
  4. Test the integration to verify that tokens are validated and requests are authorized as expected.

Using JWT authorizers with Descope’s OIDC-compliant tokens offers a robust, scalable, and secure method of token validation. By leveraging cloud services to handle this critical function, you can simplify your application’s architecture while adhering to industry standards.

Was this helpful?

Validating JWTs Offline

Learn how to validate JSON Web Tokens (JWTs) via SDK offline and in middleware

Descope JWTs with AWS API Gateway

Learn how to configure Descope JWTs to work with AWS API Gateway.

On this page