What is the purpose of calling thinktecture v3 for validating token at api service?

Question

I am using thinktecture identity server v3. I created web application and web api service. when I am accessing the web application, I got the access token from identity server. I used this token as bearer token to communicate with web api. Everything works fine.

But I noticed that at api server, for every request with access token, it automatically calls the identity server. If the idenity server is up, then it served otherwise it gives unauthorize error.

1. What is the purpose of this call?
2. What data it carries with the call?
3. If it is for validating the authority, it will more burden to the identity server.
4. Is it possible to skip this call?

Answer 1

You cannot avoid this:

• when a user authenticates with the identity server, it creates a token which is given to the client to indetify itself. This token is created on the fly by the identity server, which remembers it
• the client presents this token to your Web API server, which knows nothign about it, but knows who can validate it. So your Web API server communicates with the identity server so that it can get the identity back from the identity server

That's the reason why it works this way.

If you wanted to avoid this behavior you could map the identity from the external identity server to an identity controlled by your own web API server, and use an authentication method under your control to avoid querying the token from the external identity server. However, if you're using an identity server is precisely becasue you don't want to implement it by yourself, so this option makes no sense. This option is used when you want to map users from popular external identiy servers (like Google or Facebook) to users under your control.