JSON Web Tokens (JWT) are created during an OAuth 2.0 Token Grant, such as a password grant or a refresh grant. Password grants happen when a user initially logs in and supplies their username and password to the token endpoint and is issued their very first JWT. Refresh grants happen when the JWT is about to expire and therefore a new JWT need to be issued so the user does not need to login again. In either of these processes a new JWT must be created.
The key/value pairs inside the JWT are called claims. The Tribestream API Gateway (TAG) introduces the concept of Claims Sources allowing multiple external systems, such as LDAP, Databases or Microservices, to supply key/value pairs when JWTs are created during an OAuth 2.0 Token Grant. This expands the usefulness of the JWT from a simple security token to something that can carry a greater set of user information or application state.
As JWTs live in the user’s client application once issued and are automatically refreshed if the user is still active, they become valuable as a form of client-side cache and Claims Sources become the primary deciders of what is in that cache.