JWT Authorizers

Sometimes you need to use Descope tokens with services you cannot control and use our Backend SDKs with. Or sometimes you already have APIs in place with services such as AWS and GCP and don't want to develop custom code to handle the session validation for these APIs.

JWT (JSON Web Token) authorizers are a mechanism for validating and authorizing tokens in a distributed, stateless manner using the OIDC (OpenID Connect) standard.

Instead of relying on our Backend SDKs to validate Descope tokens, you can leverage JWT authorizers provided by cloud providers like Google Cloud Platform (GCP), Amazon Web Services (AWS), and others.

How JWT Authorizers Work

When using JWT authorizers with Descope, your application issues tokens that adhere to the OIDC standard.

These tokens contain claims that describe the user’s identity and permissions. The token is then passed to a cloud service, like GCP or AWS, which uses its built-in JWT authorizer to validate the token and authorize the request.

Key Steps in the Process:

1. Token Issuance: Descope issues a JWT after successful authentication, embedding the necessary claims and metadata.
2. Token Transmission: The JWT is sent with the request from the client to your backend or directly to the cloud service.
3. Token Validation: The cloud service’s JWT authorizer validates the token, ensuring it’s correctly signed and not expired, and that the audience matches.
4. Authorization Decision: Based on the token’s claims, the cloud service decides whether to allow or deny the request.

Use Cases

1. Serverless Applications

In serverless architectures, where the backend logic is distributed across various services, using a JWT authorizer ensures that each service independently validates tokens without relying on a central backend.

2. Microservices

In a microservices architecture, where different services may be developed and deployed independently, JWT authorizers enable consistent token validation across all services, even if they are written in different languages or hosted on different platforms.

3. API Gateways

API Gateways often include JWT authorizers to secure API endpoints. By using an authorizer with Descope tokens, you can enforce authentication and authorization at the gateway level, ensuring that only valid and authorized requests reach your services.

Setting Up JWT Authorizers with Descope

To set up JWT authorizers with your cloud provider, follow these steps:

1. Configure Descope to issue OIDC-compliant JWTs. You can do this with JWT Templates.
2. Set up the JWT authorizer in your cloud service (e.g., AWS API Gateway, GCP API Gateway). See our Setup Guides, under this section.
3. Specify the token issuer and audience to ensure the authorizer validates Descope tokens correctly.
4. Test the integration to verify that tokens are validated and requests are authorized as expected.

Using JWT authorizers with Descope’s OIDC-compliant tokens offers a robust, scalable, and secure method of token validation. By leveraging cloud services to handle this critical function, you can simplify your application’s architecture while adhering to industry standards.