The Benefits of JWTs as OAuth2 Access Tokens
2 min readOct 13, 2018
Update (01/31/2021) — Since I originally wrote this article, a proposal has been created that officially describes using JSON Web Tokens (JWTs) as OAuth2 Access Tokens. As of this date, it has not yet been adopted as an official RFC.
This is another one of those topics that I have mentioned many times, but have never written a dedicated post on the topic JSON Web Tokens (JWTs) as an OAuth2 Access Tokens. At this point, most, but not all, Identity Provider vendors are using JWT tokens as OAuth2 Access Tokens.
I have previously described the general case of JWT tokens.
The benefits of using JWTs as Access Tokens include:
- Allows for a variety of use cases with backend APIs.
- Supports scopes and audience defined as claims in the JWT (or any resource).
- Can be validated without connecting to the Authorization Server (Introspection Endpoint) on every API invocation. The IdP needs to advertise the signer certificate for JWT Access Token. The signer certificate may or may not be the same as that used for ID Tokens.
- Can contain a username as a claim.
- Can contain group or role information as a claim.
- Support for custom claims.
- Don’t need to access the OIDC UserInfo Endpoint to get additional user information.
- Support for stateless security models for APIs. This is inline with the RESTful design principal of statelessness. The information contained in the JWT Access Token is used to recreate the authenticated user’s security context on each API invocation.
- Defines an expiration date as a claim that can be used to determine when the access token expires independent of direct communication with the IdP.
- Defines an issue date as a claim that can be used to determine when the access token expires independent of direct communication with the IdP.
- In theory, this could simplify the amount of information that must be tracked by the IdP for each issued Access Token. That depends on several assumptions.
Image: nature is green ! / Victor Camilo
