THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
When to use JWT ? The pros are: might be easier to align with some newer OAuth2 related specifications, might be possible to avoid a remote validation call, possible OAuth2 server storage optimization. Cons: the extra cost of validating (or decrypting), access token value reported to and used by clients becomes larger. If JWS only is used - care should be taken to avoid putting some sensitive JWT claims given that JWS payload can be introspected.
See JAX-RS JOSE wiki page for more information on how to sign and encrypt JSON Web Tokens. Specifically, if you need to create JWT values in your custom providers, then have a look at this section: one can delegate to or extend JoseJwtConsumer or JoseJwtProducer. Addtionally org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtConsumer (and OAuthJoseJwtProducer) can help in cases where OAuth2 Client secret is used as a key for HMAC based signatures or encryptions, while OAuthServerJoseJwtConsumer (and OAuthServerJoseJwtProducer) can also use OAuth2 Client certificates.
Custom tokens
If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.common.ServerAccessToken.
...