7 Ways an OAuth Access Token is like a Hotel Key Card

Learn 7 things OAuth 2.0 access tokens have in common with a hotel key card.

developer.okta.com

Stephan | Devoxx Belgium 2024: 7 - 11 Oct · Jun 6, 2019 · 10:01 AM UTC

Stephan | Devoxx Belgium 2024: 7 - 11 Oct

@Stephan007

6 Jun 2019

Nice write up! Question: if an authenticated user gets a new/extra role, does the server create a new JWT or is there a way to update the existing token?

Tim Ysewyn - @tysewyn@fosstodon.org · Jun 6, 2019 · 1:40 PM UTC

Tim Ysewyn - @tysewyn@fosstodon.org @TYsewyn

6 Jun 2019

Why should the role be in the token if you have the userinfo endpoint? Or why should there even be a (list of) role(s) in the token if it’s only a means to have access to an endpoint? 🤔

Aaron Parecki · Jun 6, 2019 · 7:20 PM UTC

Aaron Parecki · Jun 6, 2019 · 7:20 PM UTC

Aaron Parecki @aaronpk

6 Jun 2019

Replying to @TYsewyn @Stephan007 @mraible

Some people like to use JWTs for access tokens or other self-encoded mechanisms. There are definitely trade-offs.

Jun 6, 2019 · 7:20 PM UTC