Issues such as #3195129: Add indexes to the oauth2_token table β reveal the costs of overhead involved in storing all access tokens and verifying them by ID. We already validate the signature of the provided token, and the user is loaded so we can also check their status at runtime. I think it would be interesting/helpful for many types of larger/high volume sites to not store access tokens but verify them by signature only. This would probably work fine in most applications with a sufficiently short TTL for access tokens (and also make it lower cost to have a lower TTL. Fewer things to revoke.) We could also implement some sort of revocation list to do runtime denial of tokens for users disabled/"logged out" before expiration.
Active
6.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
I agree it would be interesting for the community to have this feature. I think we can do this with JSON Web Tokens, see:
I'm pretty jammed with work, anyone who wants to contribute this feature, please feel free to do so.