Allow generating JWT access tokens even without using a resource server

[segevfiner]

It seems you can currently only switch to JWT access tokens when using a resource server, it would be nice to be able to generate JWT access tokens when not using a resource server. It's obvious why this can be useful as such access tokens can be verified without access to the Provider/Adapter, at the expense of not supporting revocation if you don't check for that regardless.

[panva]

Where would you use such an Access Token? What would be its audience?

[segevfiner]

My "own API" so to speak. Basically when integrating oidc-provider for authenticating to the same system where it is embedded in.

Like when you authenticate to GitHub's own API with OAuth, you don't supply a resource, as you are authenticating to GitHub itself, rather then a subsidiary resource server that uses GitHub for authentication in that fashion, in contrast for using it only for SSO via ID tokens/userinfo and minting its own access tokens/sessions.

So the audience in effect can be the same as the issuer, or some other custom value if wanted that makes sense for that same API server and used by default.

[panva]

Then use the resourceIndicators feature and configure its defaultResource and useGrantedResource helpers to that effect so that your clients don't need to specify the resource parameter.

[segevfiner]

So that's the intended usage? OK, I can try that.

[panva]

Yes. If your intended use of an Access Token is anything but UserInfo Endpoint access it must go through resource indicators. At the same time UserInfo Endpoint tokens can only be opaque.