May an OAuth 2.0 access token be a JWT?

Question

From what I can tell, the OAuth 2.0 specification is extremely vague in terms of what form an access token should take:

The token may den

Answer 1

As long as the Authorization Server and the Resource Server agree on what the access token means, it doesn't matter what their content is. So the only reason you could have a problem would be if you were using different libraries or frameworks when implementing those two servers.

Answer 2

A1: Using a JWT as an access token is certainly permissible by spec exactly because the spec does not restrict its format.

A2: The idea behind using a JWT as an access token is that it can then be self-contained so that the target can verify the access token and use the associated content without having to go back to the Authorization Server. That is a great property but makes revocation harder. So if your system requires a capability for immediate revocation of access, a JWT is probably not the right choice for an access token (though you can get pretty far by reducing the lifetime of the JWT).