question: what is the use case for 'use_jwt_access_token'

[pbfteambox]

Hi,

I am trying to setup an oauth2/openidconnect server using the library. Everything works fine exectp when I turn the setting 'use_jwt_access_token' on.

I was under the impression that this setting was needed for openid, but I am obviously mistaken. However I don't quite understand the use case for this setting.

Under what circumstances is the server supposed to create an JWT Bearer ? (if any).

Best regards,

Patrick.

[bshaffer]

Thanks for the reminder - I need to update the documentation to the new naming conventions. But this refers to the server issuing JWT Tokens as Access Tokens, previously called Crypto Tokens - http://bshaffer.github.io/oauth2-server-php-docs/overview/crypto-tokens/

[pbfteambox]

Actually I have read the documentation. But I still don't get in what situation one needs a JWT Token.

Do you have examples at hand of services that would need this feature ?

Also, is it desirable to create JWTToken for all case where an access token would be generated ?

Best regards,

Patrick.

[bshaffer]

you can use JWT Access Tokens if you have distributed systems, and need to validate a token's authenticity by more than one party without having to make a network call.

For instance, a token is granted by the Authorization Server. That token is a JSON Web Token signed by the Authorization Server's private key. The Resource Servers (where API calls are made) are spread out all over the world, running multiple applications. As long as the Resource Servers have the Authorization Server's public key, which does not need to be secured, they can validate the tokens quickly without any network calls. The tokens don't even need to be persisted.

It's an enterprisey use case, but is very useful for distributed systems.

[pbfteambox]

Ok thanks for that little bit of information. This is what was missing from the doc page (which is otherwise complete), for me!