Github has a new feature in beta stage called fine-grained personal access token, which allows to generate an api token for restrictive access. What is the approach for generating such a key? (assuming you have to implement it for your own app).
Does github generate a JWT with the scopes you select and it's validity date when you generate a new fine grained token? The final access token we get is not an encoded base64 jwt. It looks like github_pat_<randomString>. Is this token assigned to the jwt in the authorization backend? What is a good approach to get something like this to work?
Thanks a lot.
It is a privacy preserving best practice to issue opaque access tokens to internet clients. Access tokens are for sending to APIs (resource servers) and should not be readable by internet clients.
In OAuth 2.0 the API owner uses an authorization server (AS) to issue access tokens with least privilege to each client. The AS allows scopes (high level privileges) and claims (fine grained privileges) to be issued to access tokens, to lock them down.
The AS should also be configured to issue opaque access tokens. The AS then stores a hash of the opaque value and also the token data.
During API requests, when the backend receives opaque access tokens, they are introspected to get the token data. This involves sending the opaque token and a client credential to the introspection endpoint of the AS and receiving back the token data.
Introspection is often done in an API gateway placed in front of APIs. The gateway then caches results for future requests with the same access token. The scopes and claims are then forwarded to the target API, which uses them to apply its business authorization.