-
|
I can't understand 'token is opaque'. Who can give some detail about it . |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
A JWT is not encrypted, only signed. That is, it contains all claims in JSON format, with a signature as the trailer. Opaque tokens on the other hand are, as the name indicates "opaque". They don't contain any information/claims. So, if you're using JWTs, it's possible to do "offline validation" via JWKS. With an opaque token, this doesn't work. So we're using the userInfo endpoint of the issuer to get their claims. This might be a bit more expensive, but we can cache the result so that you don't have to call the issuer for each token. |
Beta Was this translation helpful? Give feedback.
A JWT is not encrypted, only signed. That is, it contains all claims in JSON format, with a signature as the trailer. Opaque tokens on the other hand are, as the name indicates "opaque". They don't contain any information/claims. So, if you're using JWTs, it's possible to do "offline validation" via JWKS. With an opaque token, this doesn't work. So we're using the userInfo endpoint of the issuer to get their claims. This might be a bit more expensive, but we can cache the result so that you don't have to call the issuer for each token.