openiddict-documentation/guide/token-formats.html

<!DOCTYPE html>
<!--[if IE]><![endif]-->
<html>
  
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <title>Understanding the different token formats </title>
    <meta name="viewport" content="width=device-width">
    <meta name="title" content="Understanding the different token formats ">
    <meta name="generator" content="docfx 2.45.1.0">
    
    <link rel="shortcut icon" href="../favicon.ico">
    <link rel="stylesheet" href="../styles/docfx.vendor.css">
    <link rel="stylesheet" href="../styles/docfx.css">
    <link rel="stylesheet" href="../styles/main.css">
    <meta property="docfx:navrel" content="../toc.html">
    <meta property="docfx:tocrel" content="toc.html">
    
    
    
  </head>
  <body data-spy="scroll" data-target="#affix" data-offset="120">
    <div id="wrapper">
      <header>
        
        <nav id="autocollapse" class="navbar navbar-inverse ng-scope" role="navigation">
          <div class="container">
            <div class="navbar-header">
              <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#navbar">
                <span class="sr-only">Toggle navigation</span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
              </button>
              
              <a class="navbar-brand" href="../index.html">
                <img id="logo" class="svg" src="../logo.svg" alt="">
              </a>
            </div>
            <div class="collapse navbar-collapse" id="navbar">
              <form class="navbar-form navbar-right" role="search" id="search">
                <div class="form-group">
                  <input type="text" class="form-control" id="search-query" placeholder="Search" autocomplete="off">
                </div>
              </form>
            </div>
          </div>
        </nav>
        
        <div class="subnav navbar navbar-default">
          <div class="container hide-when-search" id="breadcrumb">
            <ul class="breadcrumb">
              <li></li>
            </ul>
          </div>
        </div>
      </header>
      <div role="main" class="container body-content hide-when-search">
        
        <div class="sidenav hide-when-search">
          <a class="btn toc-toggle collapse" data-toggle="collapse" href="#sidetoggle" aria-expanded="false" aria-controls="sidetoggle">Show / Hide Table of Contents</a>
          <div class="sidetoggle collapse" id="sidetoggle">
            <div id="sidetoc"></div>
          </div>
        </div>
        <div class="article row grid-right">
          <div class="col-md-10">
            <article class="content wrap" id="_content" data-uid="">
<h1 id="understanding-the-different-token-formats">Understanding the different token formats</h1>

<p>OpenIddict can be configured to use three access token formats:</p>
<ul>
<li>opaque tokens (default)</li>
<li>reference tokens</li>
<li>JWTs (Json Web Tokens)</li>
</ul>
<p>Tokens differ in what they look like and how they are validated. The default tokens will work fine in most use cases. There are times, however, where the other token formats would be preferred or required.</p>
<blockquote><p><strong>Note: Identity tokens are always JWTs, according to spec.</strong></p>
</blockquote>
<h2 id="opaque-tokens-default">Opaque tokens (default)</h2>
<p>The default access tokens are opaque tokens. They are encrypted and signed by the authorization server using the ASP.NET Core Data Protection stack. Their contents can only be inspected by the authorization server or another server sharing the same ASP.NET Core Data Protection configuration.</p>
<p>These are &quot;proprietary&quot; tokens that are not meant to be read or verified by a third-party, as the token format is not standard and necessarily relies on symmetric signing and encryption.</p>
<p>We use this format for authorization codes and refresh tokens. They are only meant to be consumed by OpenIddict itself.</p>
<h3 id="benefits">Benefits</h3>
<ul>
<li>No additional configuration required</li>
<li>Uses OpenIddict&#39;s built-in validation</li>
<li>Resource servers can validate tokens without having to contact authorization server if using shared ASP.NET Core DataProtection</li>
<li>Tokens are encrypted so no one can inspect the token, e.g. if tokens somehow end up in your logs somewhere or are intercepted somehow</li>
</ul>
<h3 id="drawbacks">Drawbacks</h3>
<ul>
<li>Proprietary format, so if you add non .NET Core resource servers in the future you need to switch to JWTs for direct validation or use introspection for indirect validation</li>
<li>Claims are stored within the token, which is convenient but token size could get large if there are a lot of claims (probably not an issue in real-world scenarios)</li>
<li>Token expiration is in the token itself, so even if users sign out their tokens will still be valid until they reach their expiration</li>
</ul>
<h3 id="setup-and-api-validation-configuration">Setup and API validation configuration</h3>
<p><a href="../configuration/token-setup-and-validation.html#default-configuration-opaque-tokens">Here</a></p>
<hr>
<h2 id="reference-tokens">Reference tokens</h2>
<p>When using reference token format, authorization codes, access tokens and refresh tokens are stored as ciphertext in the database and a crypto-secure random identifier is returned to the client application.</p>
<h3 id="benefits-1">Benefits</h3>
<ul>
<li>Minimal configuration required</li>
<li>Uses OpenIddict&#39;s built-in validation</li>
<li>Resource servers can validate tokens without having to contact authorization server</li>
<li>Token sizes are very small regardless of number of claims because they only contain ids</li>
<li>Issued tokens are tracked in data store</li>
<li>Can immediately be revoked</li>
</ul>
<h3 id="drawbacks-1">Drawbacks</h3>
<ul>
<li>.NET Core validation only (although someone could write it for other platforms)</li>
<li>Requires a connection to OpenIddict&#39;s data store, e.g. Entity Framework DataContext. Resource servers may not want to have to reference OpenIddict&#39;s database</li>
<li>Because only ids are in the access tokens, a call to the database is required for every request</li>
</ul>
<h3 id="setup-and-api-validation-configuration-1">Setup and API validation configuration</h3>
<p><a href="../configuration/token-setup-and-validation.html#reference-token-format">Here</a></p>
<hr>
<h2 id="jwts-json-web-tokens">JWTs (JSON Web Tokens)</h2>
<p>These are standard tokens verifiable by third parties, used by Azure Active Directory, Auth0, and other valid OAuth 2.0 service. They are signed by the authorization server but their contents are not encrypted so they can be read by anyone.</p>
<h3 id="benefits-2">Benefits</h3>
<ul>
<li>Good to be familiar with JWTs because they are a commonly used access token type in OAuth 2.0 and are also <code>id token</code> type</li>
<li>Plenty of platforms include JWT validation libraries (.NET, PHP, Node, Python, etc)</li>
<li>Future proof</li>
</ul>
<h3 id="drawbacks-2">Drawbacks</h3>
<ul>
<li>Anyone can inspect contents (see <a href="https://jwt.io/">https://jwt.io/</a>), so if token is hanging around in a log somewhere or intercepted somehow all claims or other information in the token can be read, even if token is expired</li>
<li>Claims are stored within the token, which is convenient but token size could get large if there are a lot of claims (probably not an issue in real-world scenarios)</li>
<li>Token expiration is in the token itself, so even if users sign out their tokens will still be valid until they reach their expiration</li>
</ul>
<h3 id="setup-and-api-validation-configuration-2">Setup and API validation configuration</h3>
<p><a href="../configuration/token-setup-and-validation.html#jwts">Here</a></p>
</article>
          </div>
          
          <div class="hidden-sm col-md-2" role="complementary">
            <div class="sideaffix">
              <div class="contribution">
                <ul class="nav">
                  <li>
                    <a href="https://github.com/openiddict/openiddict-documentation/blob/dev/guide/token-formats.md/#L1" class="contribution-link">Improve this Doc</a>
                  </li>
                </ul>
              </div>
              <nav class="bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id="affix">
              <!-- <p><a class="back-to-top" href="#top">Back to top</a><p> -->
              </nav>
            </div>
          </div>
        </div>
      </div>
      
      <footer>
        <div class="grad-bottom"></div>
        <div class="footer">
          <div class="container">
            <span class="pull-right">
              <a href="#top">Back to top</a>
            </span>
            
            <span>Generated by <strong>DocFX</strong></span>
          </div>
        </div>
      </footer>
    </div>
    
    <script type="text/javascript" src="../styles/docfx.vendor.js"></script>
    <script type="text/javascript" src="../styles/docfx.js"></script>
    <script type="text/javascript" src="../styles/main.js"></script>
  </body>
</html>