I'm struggling to find information about how sensitive is the result of Microsoft.Owin.Security.Infrastructure.AuthenticationTokenCreateContext.SerializeTicket
Ideally, I'd like to avoid storing it on the server, and instead just send it to the client (as a token) so that I can deserialize it in AuthenticationTokenProvider.ReceiveAsync
Do I need to encrypt it? Is it a problem to send it to the client even after encryption?
All implementations I've seen store this ticket server side, and only send an identifier to the client. I don't know if there is a reason not to send the ticket itself?
I ended up storing the tickets on the server, and only sending an identifier to the clients.
After thinking a bit more, I found the following advantages with this method: