In OAuth2 it seems that bearer tokens distributed over SSL are the standard. In my understanding, the server generates the bearer token for a client, persists it, and then sends it to the client over SSL. Then clients attach the token to a request and the server validates that the specified token is authorized for the requested resource, but there is no validation that the request is coming from the client that originally requested (and "owns") the token, is that right?
Does anyone know of any existing projects (sample or real) that utilize some form of signature verification mechanism with OAuth2? The idea would be that the server can verify the authenticity of the token without having to persist/remember the token after generation. Perhaps something using SAML 2.0?
In my project, we are being asked to create a token that is not persisted yet can be validated in the future by the server. Is this a valid use case for OAuth2?
Any insight you can provide is appreciated. Thanks!