JSON Web Tokens
Format
How is it encoded
By value (contains all the details within it, can be validated by the receiver without calling the AS, can be encrypted/signed, e.g. JWTs, SAML, CWTs, etc.)
By reference (random string that acts as a reference to a db entry; only the AS can read it)
Purpose
Who is it for
Access token -> Resource Server
Refresh token -> Authorization Server
ID Token (OpenID Connect) -> Client
Type
How can it be used
Bearer (coin analogy -> if you find one, you don't need to prove that it is yours, you can use it as is)
Proof of Possession (PoP)/Holder of Key (HoK) (credit card analogy -> you need proof of ownership to use them. They are sender-constrained tokens, i.e., bound to a single user)
JSON Web Tokens
JWT is a format
Can be used for many purposes
ID Tokens are always JWTs
Access tokens can be JWTs
Refresh tokens are (almost) never JWTs
Most often are signed (JWS)
Can be encrypted (JWE)
Last updated