security

security copied to clipboard

Mentioned in #255, OAuth 2.1 still support opaque token instead of JWT token, and opaque token is used widely in the real world application.

When decoding the user claims, instead of decoding the jwt token itself, it sends a Http request to the predefined userInfoUri attribute.

I am not sure if we can consider both JWT and Opaque token introspection when we are introducing JWT authentication, https://github.com/jakartaee/security/issues/255#issuecomment-1193501827