JWT is encoded not encrypted. Do not put sensitive info in a JWT
Token Revocation
It is RFC 7009
Revokes (cancels) a token via API
Token Introspection
It is RFC 7662
Examine the token to examines its contents
Useful for opaque tokens
Describe if the token is active or not
Mandatory if you have token revocation
With introspection, your client applications can query the authorization server to learn whether the token is expired or not
Dynamic Client Registration
It is RFC 7591
Defines consistent API for creating OAuth Clients
Useful in self-service API developer console
Followed by RFC 7592 Dynamic Client management
Authorization Server Metadata
It is RFC 8414
It is Authorization server metadata specification (aka OAuth Discovery Document)
Allows us to query the authorization server itself, get back the JSON file with its capabilities and related endpoints, and then configure our applications
Misc Extensions
SMART on FHIR
Designed specifically to integrate with electronic health records or patient portals and to more easily share data between them safely.
This allows the receptionist in your doctor’s office to see which tests were performed but not necessarily the results. only your doctor can see those
HEART
Health Relationship Trust
To share specific data within that.
Open Banking
Banking Information should be easily but securely accessible via APIs.