According to RFC6750-The OAuth 2.0 Authorization Framework: Bearer Token Usage, the bearer token is:
A security token with the property that any party in possession of the token (a “bearer”) can use the token in any way that any other party in possession of it can.
To me this definition is vague and I can’t find any specification.
- Suppose I am implementing an authorization provider, can I supply any kind of string for the bearer token?
- Can it be a random string?
- Does it have to be a base64 encoding of some attributes?
Should it be hashed? - And does the service provider need to query the authorization provider in order to validate this token?
Thank you for any pointer.