Protocol Confusion

JSON web tokens don’t have anything to do with OAuth. They don’t even have inheritly anything to do with authentication or authorization — though that’s one use for JWT. JWT is a system for, “method for representing claims securely between two parties.” That’s it. Those claims may be related to authorization or OAuth, but they don’t have to be. Your OAuth authorization server may issue JWT-based bearer or refresh tokens. But it does not matter. The only thing that does matter is that the said authorization or resource servers adhere to the oauth spec.

It’s so easy to fall into the trap of how something works. That’s okay, admirable even — it’s great to understand things — but it is often times unnecessary.

Using OAuth? Focus on understand OAuth spec and terminology and forget the implementation details unless the task is to implement an OAuth authorization server. OpenID? Learn that spec, not how it’s implemented. Forget about the things that don’t matter and focus on the things that do. Issuing JWT-based tokens? Time to learn that spec.

The biggest thing, though, is realizing that not all protocols or RFCs are related. They may be used together. But that doesn’t mean they belong together. Focus on the protocol you are using.