Heya. I own Microsoft Oauth2. We use JWTs for our access tokens. (the consumer service uses encrypted tokens, yes).
Auth0 just championed the RFC for a standard for JWTs as access tokens too, largely informed by the architect there working on our access token format.
CAEP and RISC are how we're tackling revocation. Encrypted JWTs handle PII.
Oauth is a fantastic way to scale complexity - the whole "first party" consideration here is a red herring. Do you think we want Outlook calling the Exchange backend via a different auth protocol from the one we tell 3p clients to use? That's a waste of time to go build.
We also just added support for the JWTs emitted by Google and AWS, so that you can token exchange their JWTs for an access token in our ecosystem.
Auth0 just championed the RFC for a standard for JWTs as access tokens too, largely informed by the architect there working on our access token format.
CAEP and RISC are how we're tackling revocation. Encrypted JWTs handle PII.
Oauth is a fantastic way to scale complexity - the whole "first party" consideration here is a red herring. Do you think we want Outlook calling the Exchange backend via a different auth protocol from the one we tell 3p clients to use? That's a waste of time to go build.
We also just added support for the JWTs emitted by Google and AWS, so that you can token exchange their JWTs for an access token in our ecosystem.