Generating access tokens as JWT
Even though JSON web tokens are largely used to represent self contained access tokens through OAuth 2.0 solutions, its specifications (defined by RFC 7519 that's available at https://tools.ietf.org/html/rfc7519) clearly define that its purpose is to represent claims to be transferred between parties. Briefly, this means that JWTs can be used both for authentication or information exchange as described at https://jwt.io/introduction. Because of the structure of a JWT, it is possible for the Resource Server to extract client information and even data about the subject (which commonly means the Resource Owner) and validate the access token locally, instead of having to use a shared database or validate remotely through the usage of token introspection strategy. The claims at JWT are represented as JSON payload, which can be HMAC signed or encrypted.
Note
The hash-based message authentication code (HMAC) is a portion of information that can be used to verify some...
