Tokens come in various forms. The two most common are
Either can be used for various scenarios. I have previously written about the comparison of these two types of tokens.
there are really 2 possible questions then:
- Can Apigee Edge validate an opaque token issued by ADFS, or any other token issuer ?
- Can Apigee Edge validate a JWT issued by ADFS, or any other token issuer?
The answer to the first question is: Nope! Not without contacting the token issuer. Basically Apigee Edge has no magic powers.
Suppose Token issuer A (maybe it is ADFS, maybe Google Signin, maybe Ping, etc) issues a token, and then hands it out to the client application. The token looks like: "asksskhkj89rsksfi33fdvd" - in other words it's a random string of characters. There is no inherent meaning embedded in the token. It is undecipherable, because it is a random string. At some point, that token may expire, or it may be unilaterally revoked by the token issuer. The token holder has no way of knowing if the token has expired, or if it has been revoked. If I third party happens to obtain the token, the third party cannot tell what the token is good for, when it expires, or whether it is valid. A third party cannot even tell who issued the token. The only way to answer those questions is to present the token back to the token issuer and ask. "Is this token valid?" T/his is inherent in the definition of "opaque tokens".
Suppose token Issuer B (maybe it is ADFS, maybe Google Signin, maybe Ping, etc) issues a JWT, and hands that to the token. JWT are verifiable by any holder. Any party that has the token can decode it, verify the signature (assuming a public/private key signature), and determine if it is expired, who issued it, and so on.
Apigee Edge is like any third party. It cannot unilaterally verify opaque tokens issued by other token issuers. Apigee Edge CAN verify JWT issued by any token issuer.
LinkedIn
Twitter
