OAuth Access Token Implementation

1. Implementation Types

1.1. Identifier Type

Identifier-Type Access Token

1.2. Self-Contained Type

Self-Contained-Type Access Token

1.3. Hybrid Type

Hybrid-Type Access Token

2. How To Get Access Token Information

2.1. How To Get Information about Identifier-Type Access Token

Introspection Endpoint
Request to and Response from Introspection Endpoint
Access Token Cache

2.2. How To Get Information about Self-Contained-Type Access Token

Obtain Information without Calling Introspection Endpoint

3. Verification of Self-Contained-Type Access Token

Access Token Signature Verification

4. Consideration Points for JWT-based Access Token

4.1. Signature Algorithm

Signature Algorithms listed in RFC 7518

4.1.1. Symmetric Signature Algorithm

No Rule for Shared Key between Authorization Server and Resource Server

4.1.2. Asymmetric Signature Algorithm

JWK Set Endpoint

4.2. Encryption

4.2.1. Symmetric Encryption Algorithm

4.2.2. Asymmetric Encryption Algorithm

4.3. Information Hidden from Client

Unencrypted JWT-based Access Token

4.4. Access Token Revocation

Inquiry about Revocation Status of Access Token

4.5. Claim

4.5.1. Claim Name

"scopes" : [ "email", "profile" ]
"scope" : "email profile"

4.5.2. Certificate Binding

Certificate Binding
x5t#S256 — Thumbprint of Client Certificate bound to Access Token

4.5.3. Claims Included in UserInfo Response

“claims” Parameter Including “userinfo”
“userinfo” in JWT-based Access Token

4.5.4. Potential Privacy Leakage

5. Authlete’s Implementation

Access Token Signature Algorithm
Certified Financial-grade API OpenID Providers as of April 1, 2019
Please contact us (sales@authlete.com)!

Useful Links



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Takahiko Kawasaki

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/