[keycloak-dev] Why is the access_token a JWT?
Bill Burke
bburke at redhat.com
Mon Sep 12 12:45:24 EDT 2016
Our access tokens are JWS's. Json Web Signatures that contain a JWT.
This way if Client One gets an access token this token can be used to
invoke on Client Foo. Client Foo validates the JWS signature with the
realm's public key, if correct, allows the invocation. THis is so that
you don't have to have a hub/spoke authentication for every single REST
invocation.
On 9/12/16 11:06 AM, Marc Boorshtein wrote:
> I'm looking at the OpenID Connect specs and what I don't understand is
> why is the access_token returned to my client a JWT? Shouldn't it be
> just a code? I'm sending a cope of "code" but there's nothing I can
> see that says the access_token should be a JWT other then thats what
> everyone seems to do.
>
> Thanks
>
>
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
> Twitter - @mlbiam / @tremolosecurity
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list