JWT(Json Web Token) farm servers implementation

Question

I am working in a solution, where we have a farm server in order to handle the application. Is there a problem if I use JWT ? I mean if my server A is down and the user got the token from server A and send the request to server B using the JWT generated by the server B, the server B will able to authenticate the request using the JWT generated by the server A?

best Regards

Answer 1

Yes, the tokens should be accepted if the audience ("aud") is valid.

The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case- sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific.

B could also check that the token's issuer ("iss") is one of the farm servers, or all the servers could use the same issuer.

More info in the JWT spec.