I have been working on IdentityServer3 and I observed that my Access Token (and Identity token) is getting too large (up to 3000+ chars) in case of Implicit flow, while same server is returning access token of about 20-30 chars against Resource Owner flow. Is this issue is specific to Flows or I'm doing something wrong...???
What I'm have in my visual studio solution is
- Separate/standalone IdentityServer server project
- Mvc Application project (using implicit flow)
- Console app (using resource owner flow)
- Web api project (gets access token from either mvc app or console app in request header)
Once I login into mvc app, it gets a pretty large access token (and identity token), but in case of console app it just returns a nice and compact one. Why is the difference here...???
I think, you got the access token of Jwt type token in case of implicit flow. It contains list of claims. Where as in resource owner flow, you got reference token. It does not contain claims.