5.13.11 Encrypting Access Token

Access Manager generates OAuth 2 access token in the JWT format. You can choose to encrypt this token or use it without encryption. You can also choose who can validate the access token.

Access Manager generates an access token, then encrypts the access token by using a random symmetric key. This encrypted token includes the key in plain text and can be encrypted by using either the Access Manager or the resource server key. The Access Manager signing public key information is displayed in JSON Web Key Set Endpoint, which you can view on the EndPoint Summary page of Administration Console.

The access token can include user attribute or custom claims based on the resource server’s requirement. This helps when you encrypt an access token by using the resource server key. The resource server can decrypt and validate the token without the need to request for user attribute information from Access Manager.

NOTE:The size of the token is variable. You must ensure that the token size does not increase when you are using multiple user attributes or claims along with a specific algorithm.

Access Manager can encrypt the access token by using any of the following methods.

NOTE:By default, Access Manager encrypts the access token with Access Manager key. To use resource server key to encrypt the access token, an OAuth request must contain the resourceServer parameter. If a request is sent without the resourceServer parameter, then Access Manager uses its key to encrypt the token.