[keycloak-dev] Why is the access_token a JWT?

Bill Burke bburke at redhat.com
Mon Sep 12 12:45:24 EDT 2016

Our access tokens are JWS's.  Json Web Signatures that contain a JWT.  
This way if Client One gets an access token this token can be used to 
invoke on Client Foo.  Client Foo validates the JWS signature with the 
realm's public key, if correct, allows the invocation.  THis is so that 
you don't have to have a hub/spoke authentication for every single REST 

On 9/12/16 11:06 AM, Marc Boorshtein wrote:
> I'm looking at the OpenID Connect specs and what I don't understand is
> why is the access_token returned to my client a JWT?  Shouldn't it be
> just a code?  I'm sending a cope of "code" but there's nothing I can
> see that says the access_token should be a JWT other then thats what
> everyone seems to do.
> Thanks
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
> Twitter - @mlbiam / @tremolosecurity
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list