Is there any way that when the OAuth client get the JWT token from identity server is OK or not?
I afraid the when user get the access_token and try to use base64 to decode it then users can modify the token string .
My scenario is : I have two web portal A and B both of them integrated the Thinktecture identity server. User A just can access portal A with "role:portalA" claim but couldn't access portal B if user A try to login portal A and get the access_token then user A add the "role:portalB" into the the access_token then encode with base64 again. then the modified access_token pass to the Portal B, I afraid that user A could access portal B. so I have to check the access_token to Identity server again. is that any way to validate this access_token ? or this situation will not be happened?