Migrating access tokens issued by other system to Authlete


On replacing existing authorization server system (old system) to Authlete, you might have to consider how to manage access tokens which are issued by the old system.

Authlete is to be required to manage all of access tokens including such old tokens if resource servers don't distinguish who is the issuer for each token and they ask Authlete to evaluate (i.e. token introspection) all tokens which clients send to the servers.

This article explains practice to migrate the access tokens issued by other system to Authlete.

How to migrate

Authlete provides /auth/token/create, one of token management APIs. It enables authorization server to have Authlete to create arbitrary tokens without any authorization request as well as token request. The following section in API reference explains parameters for the API.

The accessToken parameter is optional but important one. If some value are specified to the parameter, Authlete takes it as a value of access token which is newly minted. By the way, Authlete hashes the value and stores it into token database.

Thus you can achieve token migration using this API to create a token, with the accessToken parameter specified a value of an existing token issued by the old system.

For migrating enormous tokens

If you are going to migrate tokens enormously, it might by appropriate to take another method; dump token information from the old system, and then transform and import them to Authlete. Please ask Authlete support representative for details.

Supplemental information

How did we do with this article?