You can actually issue a JWT as an access token (since OAuth doesn't
care about the token format), so in this case the JWT would be used to
get access to the widget provider. The JWT would be a pre-signed bearer
token that the provider would know how to check.
-- Justin
On 9/2/2011 6:50 PM,
Very nice. The token format is straightforward, and not terribly unlike our
current "proprietary" approach (we use CSV instead of JSON, but at the end of
the day it's a bunch of fields and HMAC). Even if all we did was swap out our
current format for JWT, I think that would be a big win.
So,
