Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Use opaque access tokens by default and update the MVC sample to use the new validation middleware #185
Starting with ASOS beta5, we'll stop using JWT as the default format for access tokens and go back to opaque tokens (serialized by the data protection block), exactly like
Since ASP.NET 5 offers no native support for opaque tokens, I developed 2 new middleware:
The MVC sample will be updated to reflect those changes.
This was referenced
Nov 30, 2015
Opaque tokens are actually the best compromise between security (as they are fully encrypted) and simplicity, because you don't have to configure anything to use them (as long as the authorization server and the resource server are part of the same application and share the same data protection keys, which should cover most basic cases).
This is particularly true with the validation middleware (aka the zero-conf middleware
One could argue that we could achieve the same security objective by using JWE (that should be supported by IdentityModel soon). It's true, but JWE token encryption comes with a downside: you have to manage a list of public keys corresponding to the resource servers (when using asymmetric keys) or share a symmetric key between the authorization server and the resource servers, which requires some advanced configuration, incompatible with the simplicity-by-default approach (that said, this is definitely something we'll support when JWE is implemented, it just won't be the default format).