THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The other approach is to generate a secret key, use this key to encrypt the token and then use the certificate to encrypt the key. The encrypted token and the actual encrypted secret key can be returned to the client as a token parameter, for example, as a 'key' parameter. This 'key' parameter will need to be returned to the OAuth2 server, via the HTTP header or the custom authorization scheme. The data providers using this mechanism will need to implement AccessTokenValidator and decrypt the encrypted key with the private certificate key, and decrypt the token with the decrypted secret key. Please check the code example in EncryptionsUtilsTest.
Encrypted JWT Tokens
JWT Token can be JWE-encrypted and the encrypted string acting as a Bearer ServerAccessToken.
See Json Web Tokens wiki page for more information on how to sign and encrypt Json Web Tokens.
Custom tokens
If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.
...