1

OLTU, in it's limited documentations has an example of serving access tokens based on generated UUIDs. See here under Token Endpoint

It also has an example of using JWTs (Java Web Tokens) for server-to-server authorization here, but only as a bearer token in an authorization grant request

Nowadays it is common to use JWTs as the access tokens themselves (saves unnecessary trips to the authorization server)

Is there any reason this is not provided by OLTU out-of-the-box? It seems it would be easy to implement a custom solution, but I would have expected there to be a JWT-based implementation of the ValueGenerator interface so that the standard implementation of the token issuer, OAuthIssuerImpl could generate one.

Is anybody doing this with OLTU?

Rhubarb
  • 34,705
  • 2
  • 49
  • 38
  • We're looking into doing more or less the same and I have a hard time finding out what the Oltu JWT code does or does not do already. The documentation is pretty nonexistent. Did you have any success with this? – David Jun 06 '16 at 14:59

1 Answers1

0

The thing is, OAuth's spec doesn't force to use a JWT, so the implementation of Oltu, respecting the spec and aiming to be the most compliant possible, use a random string that doesn't contain any out-of-spec informations in it.

From the spec:

Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements. Access token attributes and the methods used to access protected resources are beyond the scope of this specification

Community
  • 1
  • 1
Turtle
  • 1,626
  • 16
  • 26