Using JWT for an Access Token

JWT is a growing variant of the OAuth game when it comes to user authorization. WP OAuth Server has always supported JWT for Single Sign-On projects but now it supports JWT as an access token as well.

Using JWT can add more security to your application by allowing your client to verify a token has not been tampered with but comparing the JWT using a public key and algorithm.

To enable JWT and use tokens as an access token, you must enable the “JWT Bearer” option in the Grant Types settings section of the plugin. This will make all access tokens in the format of JWT instead of traditional access token formatting.

With this setting enabled, all authorization requests will be converted to JWT enabling your applications to use JWT.

What is JWT

JWT is short for “JSON Web Token” and provides a little more security when dealing with access tokens. Security is added into the token itself using encryption to “Sign” a token so that it can be verified by any client that receives it.

We highly recommend checking out https://jwt.io/ for more information of JSON Web Tokens, how to decode them, and how to use them.

Typical Access Tokens are just a random string representing am ID in a database for a given client and authorization privileges granted to it for any given user or system. WP OAuth Server default at a token that is 40 characters long. These are considered standard and safe to use.

JSON Web Tokens are a bit more robust. They look something like the following.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The JWT above is a sample token that contains 3 parts separated by a period (.). These parts provide different information. Overall, JWT are longer, and more secure in a sense but can be used just like a normal access token.