Summary

The OAuth 2.0 specifications do not mandate JWTs for access tokens and ID tokens (only OIDC does that, though there are OAuth 2.0 specifications that define JWTs for tokens). It might be worth clarifying whether you mean this project as an OIDC mock server or an OAuth 2.0 mock server.

If it's the latter, then supporting non-JWT tokens would be a good idea (as well as disabling the .well-known/openid-configuration endpoint and potentially supporting RFC8414 which is similar but different.

Also, OAuth 2.0 doesn't mandate that servers must support token introspection, so being able to disable that would be good.

Note: Filed this as a bug, as it's unclear the intent of this project because of the discrepancy between its name and the functionality implemented.

If this project were to support non-JWT access tokens, it could be used by folks developing services/apps for Mastodon and similar federated social media software, which tends to use OAuth 2.0 specs but not implement OIDC.

@ThisIsMissEm Thanks a lot for this feedback.

Sadly, I'm not as well versed in RFCs than @poveden is. So you might need to help me a bit out in order to better understand the issue you're facing.

If this project were to support non-JWT access tokens, it could be used by folks developing services/apps for Mastodon and similar federated social media software, which tends to use OAuth 2.0 specs but not implement OIDC.

Could you please describe the pain points you're facing integrating oauth2-mock-server in that context? What doesn't work? What's missing? Maybe could you provide us with a view of the expected flows this integration would require and highlight where oauth2-mock-server is lacking?

@ThisIsMissEm Closing due to inactivity. Feel free to message back would you want to discuss this further.