I am trying to see if I could get my OAuth2 provider to return a Guid as an access token. I am aware that there are existing and well-defined token providers and formats.
The resulting token would look like this:
{
access_token: "a31b99f9-01d7-7165-09be-73d5b7655f15",
expires_in: 1799,
token_type= "bearer"
}
I don't need to support claims and the rest of the authentication details will be stored somewhere in the back-end for when I need to validate it (check the expiry, retrieve additional details, etc). I'm just wondering if it's a feasible option as well?
Yes. Tokens maybe passed by "reference" as long as the Authorization Server supports OAuth 2.0 Token Introspection.