I have read some documentation on using ADFS. I understand it returns a token which is later passed by the client. In the diagrams, I can see that WebApi is validating the token, but I don't understand how. Maybe the api has access to the public key with which it verifies the token? If the api, after receiving the token, asked eg ADFS to confirm that the token is correct, I would understand, but it seems that it is not needed.
Images from: docs.microsoft
CodePudding user response:
It is up to the application to validate the token.
Yes, it has access to the public key.