today I want to write a few words about security tokens in OAuth2.
So, first of all I'd like to point that security tokens wasn't needed for corporate world. When I say corporate world, I mean networks like B2B, or B2E or something, that has strong system administration army.
But if you need to provide B2C or something like this than you'll need tokens.
As usually tokens has following features:
- Security tokens are protected data structures
- Also not prescribed in OAuth2 but quite often security tokens implemented as JSON web tokens
- has information about producer and topic ( claims )
- signed ( has some kind of identity proof )
- as usually contain expiry date time
Security tokens have following life time:
- Client requests token.
- Producer creates token.
- Resource which has trust relationship with producer consumes token.
Historically following tokens were already used:
- SAML 1.1/2.0
- XML based
- encryption and signature options
- Simple web token ( SWT )
- Form/URL encoded
- Symmetric signatures only
- JSON Web token ( JWT )
- JSON encoded
- symmetric and asymetric signatures ( HMACSHA256-384, ECDSA, RSA )
- symmetric and asymetric encryption ( RSA, AES/CGM )
- used for corporate