PHP Laravel Protected API: Offline Token Validation


I would like to protect API endpoint of my PHP Laravel Webserver using OAuth. I have followed the instructions from Protecting a Laravel API with JWT | Okta Developer which works fine. However, I would want my server to be able to do the verification without having access to the internet (and thus to okta’s authorization server). This does not seem to work as the JWT token validation procedure tries to contact the authorization server. Is there a way to perform the validation offline? (use case is client authenticated to server with JWT through local network with no internet access)

In order to validate tokens locally instead of remotely, you will need to occasionally reach the /keys endpoint to validate the token signature.

Short of ensuing the application is able to communicate with Okta only 4 times a year (when keys are rotated automatically), for your use case, you could potentially look into disabling automatic key rotation on a custom authorization server.

This will of course mean your app will not be following the security best practices we recommend, but its a potential option if you’re able to accept those compromises.

1 Like