I have been reading about OAuth and JWT in general. One question that has been troubling me is around authentication of SPA that use APIs to provide data.
As per my understanding -
- SPA shows user a login page.
- User grants credentials and hits login button
- API takes the credentials verifies it against it’s database.
- API generates a JWT token and adds a signature using a secret string value that only API knows.
- JWT is sent back to SPA and SPA stores it in cookies or just creates a global variable.
- SPA sends this JWT to API with each HTTP request.
- API doesn’t have to validate it against DB, it just has to verify if it is a valid JWT and is still active. It can do so because it has the secret key with which the Token was signed.
Is my understanding correct? If so then what happens if there is a separate Authentication server?
- The SPA will redirect the user to Authentication Server’s login page.
- User grants credentials and then Authentication server validates it and generates an Authentication Code and sends it back to SPA on the callback URL.
- This Authentication Code is sent to API and the API sends it to the Authentication server along with clientId and a clientSecret.
- The Authentication server will generate an access token and send it to API and the API will sent it to SPA
- The SPA will carry this token in each request.
The API is able to verify that it is a valid token since it has the ClientId and Client Secret that was used to generate token by the authentication server??
Is that how it works? Is my understanding correct?