Successful OAuth transactions require an OAuth authorization server (AS) to issue tokens characterized by both security model and data model for use in authenticating an API call.
Token security model
A token security model refers to the conditions that must be met by a client in order to use a token on an API call. The currently supported model is a Bearer Token. A client's presentation of the token – for example, as a parameter on the API call – to the resource server (RS) is interpreted as providing sufficient proof to the RS that the client received the same token from the OAuth AS.
Token data model
A token data model refers to whether the token carries identity and security information or acts as a pointer to the information.
- Self-contained tokens (JSON Web Tokens)
- Contain identity and security information and attributes in a transport format such as JSON, signed by the AS and verified directly by the RS.
- Reference tokens (Internally Managed Reference Tokens)
- Serve as a reference to some set of attributes. The RS must de-reference the token for the corresponding identity and security information at the OAuth AS that issued it.