Support for passing JWT by reference #6848
Assignees
Labels
status: duplicate
A duplicate of another issue
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
@erbrecht There are 2 types of tokens - self-contained and opaque. Self-contained tokens contain all the attributes within it, e.g. a We actually recently implemented I'll close this as a duplicate but feel free to try out the sample. |
jgrandja
added
status: duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
I've seen some talks and articles recently that go into JWTs and passing them by value and by reference. The default behavior, at least for the spring implementations I've seen, is to pass a JWT by value, meaning the actual JWT is passed to a client. In the case of a mobile or native app, it may be desirable for the authorization server to pass a JWT by reference, where an opaque identifier is sent to a client. The client sends that opaque identifier back with the resource request, and the actual JWT is extracted in order to be used by the resource server. This could happen at a proxy API, or by the resource server itself.
Is it possible to support passing JWTs by reference? I searched and couldn't find an existing issues, so apologies if this is a duplicate.
Since I'm not the most well versed person when it comes to this specific feature, here are a couple resources. I've summarized above, but these probably do a better job of explaining than I could.
This is document is specific to Identity Server, but the general feature is described:
http://docs.identityserver.io/en/latest/topics/reference_tokens.html
This gets into OpenID Connect, but the general subject of by reference and by value tokens still stands I think.
https://youtu.be/WyHem7pFWQM?t=1486 until about 26:05
https://youtu.be/WyHem7pFWQM?t=2075
The text was updated successfully, but these errors were encountered: