How is JWT related to OAuth?

Question

I recently stumbled upon JSON Web Tokens (JWT), and as far as I have understood it, they are just a compact form of a token that can easily be serialized (as it is JSON).

Now, my question is: Are JWTs related to OAuth in any form, or are they two completely independent concepts?

Answer 1

The OAuth2 spec doesn't actually require the use of JWTs, since it treats tokens as opaque, but they are a convenient standard for implementers to use. If you look at the OpenID Connect Specificiation, which builds on top of OAuth2 to provide an authentication system, then you'll find that it does make explicit use of JWTs, for example in the definition of the ID Token.

JWTs can also support signing and encryption in a standard way (see the accompanying JWE and JWS specs).