With the impending deadline for the discontinuation of JWT authentication I am struggling to come up with a good architecture that will allow me to use the S2S OAuth solution. At issue here is the whole “token index” problem. We have two different applications (a legacy .net framework 4.8 solution and a new .net 6 solution in progress) that require use of the OAuth token. They may be running a dozen or more different servers and because we only have a max token_index of 2 we’re required to come up with some complex distributed locking solution to synchronize all the different threads on use of one of the two possible tokens.
Restricting to a single OAuth token is not in the OAuth spec (if it is I’d like to know where). It seems that, based on the other threads on this topic, I am not alone in struggling with this problem.
What is the reference architecture here?