Tokens

Managing authorizations (issued tokens) granted for a client by a user

Technical information about Authlete APIs for managing authorizations (issued tokens) granted for a client by a user.

Updating issued token(s)

Technical information on different methods provided by Authlete for updating issued token(s) including scopes expiration time and other properties.

How Authlete determines token duration

Technical information on how Authlete determines token duration based on different versions like Authlete 1.x and Authlete 2.0.

Token duration per scope

Setting token duration individually per scope in Authlete 2.0 for more granular control and customization.

Token duration per client

Instructions on configuring access/refresh token duration per client in Authlete 2.1.

Changing token duration

Explanation on how changing token duration settings in Authlete affects access tokens and refresh tokens.

Authlete's policy on sweeping unused tokens

Authlete removes unused access tokens and refresh tokens after a certain period regardless of their expiration time set by the service owner console.

Token revocation policy

Technical Information about how Authlete handles token revocation requests and the corresponding invalidation of access tokens and refresh tokens.

Access Tokens

Enabling single access token per subject

Technical information on enabling a single access token per subject in Authlete to ensure that only the newest access token is valid for each user.

Using JWT-based access tokens

Guide on enabling the feature in Authlete to issue JWT-formatted access tokens and specifying additional claims available in Authlete 2.1 and later.

How to add extra properties to an access token

Adding additional properties to access tokens for enhanced control and security in API requests.

Getting a list of issued access tokens

Getting a list of access tokens issued by Authlete's API.

Issuing two access tokens through hybrid flow

Issuing two access tokens with restricted scopes and shortened duration using OpenID Connect's Hybrid flows.

Refresh Tokens

How to enable issuing of a refresh token

Configuring Authlete service and clients to enable issuing a refresh token including adding REFRESH_TOKEN to Supported Grant Types and Grant Types settings in both Service Owner and Developer Consoles.

Refresh tokens after being used

Technical information on handling refresh tokens after they have been used in OAuth 2.0.

ID Tokens

Identifying claims expected to be included into an ID token

How Authlete helps identity providers identify and fulfill requested claims by relying parties in OpenID Connect authentication requests.

Adding claims to an ID token

Adds arbitrary claims to an ID token using Authlete's API with specific claim values such as name and email.

Changing signing key for ID tokens

Guide on changing a signing key for ID tokens by configuring both a service of Authlete and a client registered to the service.

Generating encrypted ID tokens

Generating encrypted ID tokens for a particular client using Authlete and registering a JWK set for encryption.

When a response_type parameter contains id_token

Technical information about the necessity of including openid in the value of the scope parameter when the response_type parameter contains id_token in an authorization request.

Custom header claims in ID tokens

Adding custom claims to ID tokens by configuring Authlete to include them in the JWS header available in version 2.2 and later.

Proof-of-Possession (PoP) Tokens

Issuing mutual-TLS certificate-bound access tokens

Instructions for setting up Authlete to issue Mutual-TLS certificate-bound access tokens as defined in RFC 8705.

Using DPoP

Technical guide on implementing DPoP with Authlete APIs for supporting OAuth 2.0 Proof-of-Possession.

Scopes

Scope attributes

This article provides information on scope attributes and how to create them available since Authlete 2.0.

Letting resource owners choose scopes to be authorized

How to utilize Authlete APIs to enable resource owners to select scopes for authorization on an authorization page.

Using “parameterized scopes”

Configuring and utilizing parameterized scopes feature in Authlete to use dynamic values in scope strings.

Registering localized descriptions for custom scopes

Registering localized descriptions for custom scopes in Authlete's API.

PKCE (RFC 7636)

Requiring clients to use PKCE for their authorization requests

Technical information about how to require OAuth 2.0 clients to use PKCE for their authorization requests with Authlete's feature.

Requiring clients to specify S256 when using PKCE for their authorization requests

Require OAuth 2.0 clients to specify S256 for code_challenge_method parameter when using PKCE for authorization requests with Authlete's feature.

Client Management

Using Client ID Alias

Technical Information about using Client ID Alias feature in Authlete for seamless migration of clients and resource servers to Authlete-based authorization server.

Token management policy when deleting clients

Automatic deletion of access tokens and refresh tokens issued to a client to simplify token management when deleting clients.

Authlete's policy on managing clients which have been authorized by user

Technical information on Authlete's policy for managing authorized clients based on valid or expired access and refresh tokens.

Client Attributes

Configuring and utilizing client attributes in OAuth 2.0 for defining client affiliations roles and access controls.

Authorization Requests

Ticket Parameter in Authorization Endpoint

Backend APIs for implementing an authorization endpoint with a ticket parameter that links two types of APIs and expires within 24 hours.

When seeing the error of There is no entity having the ticket specified...

The article covers the conditions under which the error There is no entity having the ticket specified may occur in the Authlete API server.

Using Request Objects

Instructions on configuring Authlete to support authorization requests with request objects for enhanced security.

Pushed Authorization Requests (PAR)

Overview of the technical support for Pushed Authorization Requests (PAR) in OAuth 2.0 framework with a focus on implementing PAR EP in an authorization server and configuring PAR settings in Authlete.

Rich Authorization Requests (RAR)

Overview and implementation details of OAuth 2.0 Rich Authorization Requests (RAR) for fine-grained permission representation and usage in Authlete.

JWT Secured Authorization Requests (JAR)

Technical information about using JWT Secured Authorization Requests (JAR) in OAuth 2 deployments for increased security and validation of authorization requests.

Resources Indicator

Technical information about the Resource Identifier specification in OAuth 2 framework and its support by Authlete.

User Authentication

Using OAuth 2.0 for User Authentication

Using OAuth 2.0 for User Authentication and the Advantages of OpenID Connect.

Error Handling

Generating error response using fail API

Generating OAuth 2.0 compliant error responses using Authlete's fail APIs to support authorization server in responding to clients with standard error messages.

Interpreting Authlete's result codes

Interpreting the meaning behind Authlete's API result codes starting with A.

Suppressing error details in responseContent

Suppressing error details in responseContent by utilizing the responseContent parameter in Authlete APIs for authorization servers.

Client Authentication

Configuring client authentication

Basics of client authentication configuration in Authlete and how client authentication works in the context of processing token requests.

Client authentication using client_secret_jwt method

Technical information about client authentication using the client_secret_jwt method in OAuth 2.0 and OpenID Connect.

Client authentication using private_key_jwt method

Technical information on client authentication using the private_key_jwt method in OAuth 2.0 with an overview of the method setup instructions with Authlete and requirements for both the client and the authorization server side.

Client authentication using tls_client_auth method

Overview and instructions on enabling client authentication using TLS client authentication method in Authlete.

Strict checking on client authentication parameters

Strict checking on client authentication parameters in Authlete version 2.0 requires specific configurations and values in token requests with differences from the previous version to note during migration.

Introspection

Introspection response for expired access token

Details on how Authlete handles requests with expired access tokens in its Introspection API and the resulting UNAUTHORIZED response.

Checking if an access token has particular scopes

Information on utilizing Authlete's API feature to determine if an access token has specific scopes for validation in a resource server.

Use cases for two introspection APIs

Various use cases for Authlete's two introspection APIs including the /auth/introspection and /auth/introspection/standard APIs are discussed in this article.

JWT Response for OAuth Token Introspection

Technical information on configuring services and resource servers to enable the JWT Response for OAuth Token Introspection feature.

Userinfo Endpoint

Access token verification in Userinfo API

Technical information on how Authlete's Userinfo API internally verifies access tokens eliminating the need for the authorization server to make a separate request to Authlete's introspection API.

JARM

Enabling JARM

Technical guide on enabling JARM a response mode for encoding authorization responses to JWTs for secure authorization responses.

Device Flow (RFC 8628)

Enabling “device flow”

Guide on enabling the device flow for API clients on devices without web browsers using Authlete's authorization server component architecture.

Grant Type