JSON Web Tokens

Feature
Description
Details

Format

How is it encoded

  1. By value (contains all the details within it, can be validated by the receiver without calling the AS, can be encrypted/signed, e.g. JWTs, SAML, CWTs, etc.)

  2. By reference (random string that acts as a reference to a db entry; only the AS can read it)

Purpose

Who is it for

  1. Access token -> Resource Server

  2. Refresh token -> Authorization Server

  3. ID Token (OpenID Connect) -> Client

Type

How can it be used

  1. Bearer (coin analogy -> if you find one, you don't need to prove that it is yours, you can use it as is)

  2. Proof of Possession (PoP)/Holder of Key (HoK) (credit card analogy -> you need proof of ownership to use them. They are sender-constrained tokens, i.e., bound to a single user)

JSON Web Tokens

  • JWT is a format

  • Can be used for many purposes

    • ID Tokens are always JWTs

    • Access tokens can be JWTs

    • Refresh tokens are (almost) never JWTs

  • Most often are signed (JWS)

  • Can be encrypted (JWE)

Last updated