oauth_jwt feature now supports JWT Secured Authorization Request (JAR) (see tools.ietf.org/html/draft-ietf-oauth-jwsreq-20). This means that client applications can send the authorization parameters inside a signed JWT. The client applications keeps the private key, while the authorization server must store a public key for the client application. For encrypted JWTs, the client application should use one of the public encryption keys exposed in the JWKs URI, to encrypt the JWT. Remember, tokens must be signed then encrypted (or just signed).
:oauth_application_jws_jwk_column: db column where the public key is stored; since it’s stored in the JWS format, it can be stored either as a String (JSON-encoded), or as an hstore (if you’re using postgresql);
:oauth_jwt_jwe_key: key used to decrypt the request JWT;
:oauth_jwt_jwe_public_key: key used to encrypt the request JWT, and which will be exposed in the JWKs URI in the JWK format;
_paramoptions; these defined the URL params, however we’re using protocol-defined params, so it’s unlikely (and undesired) that these’ll change.
Hitting the revoke endpoint with a JWT access token returns a 400 error;