Right now access tokens are encrypted (AES/GCM - authenticated encryption). Since 6.2, the access token is a random UUID, by which we pull the user token from the .security index (the format moved from a self-encoded token to an identifier). Hence, I don't think we require the confidentiality and integrity any longer.
Should we un-encrypt access tokens?
Right now
access tokensare encrypted (AES/GCM - authenticated encryption). Since 6.2, theaccess tokenis a random UUID, by which we pull theuser tokenfrom the.securityindex (the format moved from a self-encoded token to an identifier). Hence, I don't think we require the confidentiality and integrity any longer.Should we un-encrypt
access tokens?