What’s in an AuthorizationServer Access Token?

The main job of AS is to produce access tokens in the JWT format. The client and the user provide the following input information for that process:

  • Client
    application (via the endpoint URL), client identifier, scopes
  • User
    identity, consent to the requested scopes

A resulting access token could look  like this:


That’s a serialized JWT – when you copy&paste that JWT to here – you will see the following JSON string:

    “iss”: “ThinktectureAuthorizationServer”,
    “aud”: “users”,
    “nbf”: 1371493550,
    “exp”: 1371497150,
    “client_id”: “codeclient”,
    “scope”: [
    “sub”: “dominick”

  • iss
    Issuer name of the access token
  • aud
    Audience (the identifier of the application the token is for)
  • nbf
    Not before (start of validity period)
  • exp
    Expiration (end of validity persion)
  • client_id
    The identifier for the client that asked for the token
  • scope
    The granted permissions
  • sub
    Subject. The unique identifier of the user (aka resource owner).

The token is digitally signed – either with a symmetric key or with an X.509 cert.

Remark: When doing an OAuth2 client credentials flow, where no user is involved, the sub claim is missing from the token.

All claims besides sub come from the AS configuration database. It’s the job of the claims transformation module to provide the sub claim. But more on that in a separate blog post.


This entry was posted in AuthorizationServer, IdentityModel, OAuth, WebAPI. Bookmark the permalink.

4 Responses to What’s in an AuthorizationServer Access Token?

  1. Patrick says:

    You say “digitally signed” and it makes sense. I’m using a X.509 cert, which just works fine: validation is done by a combination of Thinktecture.IdentityModel.Tokens.IdentityModelJwtSecurityTokenHandler and System.IdentityModel.Tokens.JwtSecurityHandler.
    However, I don’t really understand where & how the magic happens. There is no documentation on either side, could you elaborate where the signature is hidden? How do we prevent that anyone fakes a token with some other valid certificate?

  2. Dominick,

    I’ve obtained my access token. Now I want to expose it to my java-script so I can call my WebAPIs . What is a ‘good’ way to expose the token so it can be used by the client java-script? I’ve been sending it down in a block in the page. It works, but feels like a bad idea.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s