Is it safe to store important data in an encrypted access token? For example, instead of storing access tokens in a database, not storing them at all and putting their associated data into them before encryption.
As in. I'm setting up an Oauth authentication server. I create an access token by wrapping together the timestamp of the token, the IP address of the request for the token, the principal used for the request, and maybe some other data, as a String. Then I encode the String in Base64, and run it through strong encryption.
When the token is submitted, I use my key to decrypt it, decode it from Base64, and read the data it contains. If I'm able to read it, it can't have been tampered with, right?
Is the only reason to store access tokens and the user they were issued to in a database table a lack of faith in the strong encryption?