What goes in an OAuth 2.0 access token?

2018-06-16 23:42:20

The RFC is rather vague about what goes in an access token:

The token may denote an identifier used to retrieve the authorization information, or self-contain the authorization information in a verifiable manner [ch.1.4, p.2]

Fair enough, the implementation details aren't really the thing an RFC should focus on. The thing that is tripping me up in the grand scheme of things is the word 'resource'.

An access token is used by the client, to retrieve a resource (to me, this implies 'singular') from the resource server. Does this mean that the access token contains the id of a single resource, along with the permissions granted for that resource? For example, as a JWT payload:

{
    "type"        : "image",
    "id"          : "42"
    "permissions" : "read,update"
}

If so, then how can the authorization server contain information about each resource, and who has permissions to do what to each resource, without being tightly coupled to the resource server?

If not, then what does the access token contain? And does that mean that there is still going to be some degree of permission-checking done on the resource server?

链接地址: http://www.djcxy.com/p/48038.html

上一篇: 如何为OAuth2访问令牌指定受众群体？

下一篇: OAuth 2.0访问令牌有哪些内容？