Re: [keycloak-dev] Why is the access_token a JWT?
Our access tokens are JWS's. Json Web Signatures that contain a JWT.
This way if Client One gets an access token this token can be used to
invoke on Client Foo. Client Foo validates the JWS signature with the
realm's public key, if correct, allows the invocation. THis is so that
you don't have to have a hub/spoke authentication for every single REST
invocation.
On 9/12/16 11:06 AM, Marc Boorshtein wrote:
I'm looking at the OpenID Connect specs and what I don't
understand is
why is the access_token returned to my client a JWT? Shouldn't it be
just a code? I'm sending a cope of "code" but there's nothing I can
see that says the access_token should be a JWT other then thats what
everyone seems to do.
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein(a)tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev