3

Trying to find information about this. I'm wondering what format the OAuth2 Access Token is, or should be. Is it ok to use JWT format for the Access Token?

Improve this question
1
  • I am not sure about the answer but what I do know to be very bad is if one could generate a access token by formatting userinfo in JWT. So at least make sure you prevent that. Commented Mar 21, 2016 at 11:03

1 Answer 1

Reset to default
4

OAuth does not specify the access token itself, the format is opaque to the protocol flow. It can be any thing you want, e.g. a JWT if you want it to be self-contained.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks. Are there any guidelines for this? I am asking because I first thought about using JWT as it is a "standard", but now I'm wondering if it is unnecessary...
here's some guidance: nimbusds.com/blog/implementing-oauth-2-0-access-tokens in the end it is up to the agreement between RS and AS, which does not necessarily need to be standardized
that link's dead, do you have any others to that content, Hans?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.