Tokens
- Managing authorizations (issued tokens) granted for a client by a user
- Updating issued token(s)
- How Authlete determines token duration
- Token duration per scope
- Token duration per client
- Changing token duration
- Authlete's policy on sweeping unused tokens
- Token revocation policy
Access Tokens
- Enabling single access token per subject
- Enabling JWT-based access tokens
- How to add extra properties to an access token
- Getting a list of issued access tokens
- Issuing two access tokens through hybrid flow
Refresh Tokens
ID Tokens
- Identifying "claims" expected to be included into an ID token
- Adding claims to an ID token
- Changing signing key for ID tokens
- Generating encrypted ID tokens
- When a response_type parameter contains id_token
- Custom header claims in ID tokens
Proof-of-Possession (PoP) Tokens
Scopes
- Scope attributes
- Letting resource owners choose scopes to be authorized
- Using “parameterized scopes”
- Registering localized descriptions for custom scopes
PKCE (RFC 7636)
- Requiring clients to use PKCE for their authorization requests
- Requiring clients to specify "S256" when using PKCE for their authorization requests
Client Management
- Using "Client ID Alias"
- Token management policy when deleting clients
- Authlete's policy on managing clients which have been authorized by user
- Client Attributes
Authorization Requests
- Ticket Parameter in Authorization Endpoint
- When seeing the error of "There is no entity having the ticket specified..."
- Using Request Objects
- Pushed Authorization Requests (PAR)
- Rich Authorization Requests (RAR)
- JWT Secured Authorization Requests (JAR)
- Resources Indicator
User Authentication
Error Handling
- Generating error response using "fail" API
- Interpreting Authlete's result codes
- Suppressing error details in responseContent
Client Authentication
- Configuring client authentication
- Client authentication using client_secret_jwt method
- Client authentication using private_key_jwt method
- Client authentication using tls_client_auth method
- Strict checking on client authentication parameters
Introspection
- Introspection response for expired access token
- Checking if an access token has particular scopes
- Use cases for two introspection APIs