This chapter covers
- What an OAuth token is
- Including information in structured JSON Web Tokens (JWT)
- Protecting token data with JOSE
- Looking up token information in real time with token introspection
- Managing a token lifecycle with token revocation
For all its redirects and flows and components, the OAuth protocol is ultimately about tokens. Think back to our cloud-printing example from chapter 1. In order for the photo-storage service to know that the printer had access to the photos, the printer service needed to give something to prove that authorization. We call the thing that the printer gives to the storage service an access token, and we’ve already been working with them extensively throughout the book. Now we’re going to take a more in-depth look at OAuth tokens and managing them in an OAuth ecosystem.
Tokens are at the core of all OAuth transactions. Clients fetch tokens from the authorization server to give to the protected resource. The authorization server creates tokens and hands them out to clients, managing resource owner delegations and client permissions to attach to the tokens along the way. The protected resource receives tokens from the clients and validates them, matching the attached permissions and rights to the request made by the client.