justin-hughey-github
commented
8 months ago How about Simple Random Tokens?
Open mooreds opened 9 months ago
justin-hughey-github
commented
8 months ago How about Simple Random Tokens?
mooreds
commented
8 months ago @justin-hughey-github Thanks for the feedback. That's probably a separate issue; feel free to file it with more details about your use case.
However, JWTs issued by FusionAuth can gracefully degrade to simple random tokens if you treat the JWTs you receive as opaque tokens (never examine them on the client or the resource server), put minimum information in them (using the JWT populate lambda to strip out as much as you can), and always use the introspect endpoint to validate them.
Support Biscuit as an access token format
Problem
Biscuit is another form of signed tokens. Major benefit (per HN) is that it allows for attenuation of tokens without contacting an authorization server.
Would be interesting to hear the community's desire for implementing this as an access token format, hence this issue.
Solution
Have a per-tenant option to have access tokens generated as biscuit tokens rather than JWTs.
Alternatives/workarounds
n/a
Additional context
There is a java lib for this: https://github.com/biscuit-auth/biscuit-java
Main website: https://www.biscuitsec.org/
Blog post about Biscuit and OAuth: https://www.biscuitsec.org/blog/oauth-oidc/
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.