Theory
Opaque Tokens vs. JWT
π Overview
In modern authentication, the choice between Opaque Tokens and JSON Web Tokens (JWT) is a fundamental architectural decision. Opaque tokens are "By-Reference"βthey are random strings that point to data stored on a server. JWTs are "By-Value"βthey are self-contained, digitally signed objects that carry their own data. This choice dictates how your services validate identity and how you handle session revocation.
ποΈ Core Principles & Characteristics
Opaque Tokens (Reference Tokens)
- Server-Side State: The server stores the token's meaning (User ID, Scopes) in a database or cache (Redis).
- Introspection: To validate the token, the Resource Server must make a network call back to the Authorization Server (
/introspect). - Privacy: The token itself contains zero information; even if intercepted, no user data is exposed.
JWT (Value Tokens)
- Statelessness: All data (claims) is encoded into the token itself.
- Local Validation: The Resource Server validates the token's signature using a public key (JWKS) without making any network calls.
- Standardized Format: Header (Alg), Payload (Data), and Signature.
βοΈ Trade-offs: Pros & Cons
Opaque Tokens
- Pros: Instant Revocation (just delete from DB); high security (no PII in token); small size.
- Cons: Higher Latency (DB lookup per request); Auth Server becomes a bottleneck and single point of failure.
JWT
- Pros: Extremely Scalable (perfect for microservices); low latency (no network calls for validation); stateless.
- Cons: Hard to Revoke (valid until it expires); larger size (bloats HTTP headers); sensitive data shouldn't be in the payload.
π Real-World Implementation
- High-Security Systems (Banking): Often prefer Opaque Tokens because the ability to "Kill a Session" instantly across all devices is a hard requirement.
- Large-Scale Microservices (Netflix/Google): Use JWTs to avoid millions of introspection calls that would crush their identity services.
- Hybrid Approach (Phantom Tokens): A common "Best Practice." The client gets an Opaque Token (at the edge/gateway), which the Gateway then swaps for a JWT to pass to internal microservices.
π‘ Interview "Gotchas" & Tips
- The Revocation Problem: If asked how to revoke a JWT, mention: 1. Keeping TTLs short (5 mins). 2. Using a "Deny List" in Redis (though this re-introduces state). 3. Refresh Token rotation.
- Security: Remind the interviewer that JWTs are encoded, not encrypted. Anyone can read the payload at
jwt.io. Never store passwords or SSNs in a JWT. - Introspection Bottleneck: If a system uses Opaque tokens and experiences a 500ms delay, the culprit is likely the introspection network call.
π Suggested Architecture Primitives
- Redis: The standard store for Opaque tokens or JWT Deny Lists.
- JWKS Endpoint: The URL where an Auth Server publishes its public keys for JWT validation.
- BFF (Backend for Frontend): A pattern where the backend manages the tokens, keeping them out of the browser's "Local Storage" (XSS risk).
- Phantom Token Pattern: The industry standard for combining Opaque security with JWT performance.
Canvas