Auth Tokens
Opaque token vs Structured token
an unencrypted structured token (like a JWT) can be interpreted by anybody that holds the token, whereas opaque tokens cannot.
The opaque token is a random unique string of characters issued by the authorization server.
- it is issued in a format that is known only to the auth server (unlike JWTs, which use a highly predictable format)
- it contains an identifier to information stored on the authorization server.
- therefore, if the resource server wants to get identity information from the token, it needs to send a request to the introspection endpoint of the auth server.
- on the other hand, a structured token (like a JWT) contains enough information for the resource server to make its authorization decision.
- To validate the token and retrieve the information on the token and the user, the resource server calls the authorization server and requests the token introspection.
Opaque tokens should be the default choice unless we want our client to be able to parse the token (which turns out is a common requirement with webapps)
- ex. a service framework in which you only pass the token to the service as a blind claim; you have no idea what it says, but you know it works and identifies you. It is only up to the service to confirm it's you via the secret key or cipher.
Children
Backlinks