Authlete Knowledge Base

Tokens

• Managing authorizations (issued tokens) granted for a client by a user
• Updating issued token(s)
• How Authlete determines token duration
• Token duration per scope
• Token duration per client
• Changing token duration
• Authlete's policy on sweeping unused tokens
• Token revocation policy

Access Tokens

• Enabling single access token per subject
• Enabling JWT-based access tokens
• How to add extra properties to an access token
• Getting a list of issued access tokens
• Issuing two access tokens through hybrid flow

Refresh Tokens

• How to enable issuing of a refresh token
• Refresh tokens after being used

ID Tokens

• Identifying "claims" expected to be included into an ID token
• Adding claims to an ID token
• Changing signing key for ID tokens
• Generating encrypted ID tokens
• When a response_type parameter contains id_token
• Custom header claims in ID tokens

Proof-of-Possession (PoP) Tokens

• Issuing mutual-TLS certificate-bound access tokens
• Using DPoP

Scopes

• Scope attributes
• Letting resource owners choose scopes to be authorized
• Using “parameterized scopes”
• Registering localized descriptions for custom scopes

PKCE (RFC 7636)

• Requiring clients to use PKCE for their authorization requests
• Requiring clients to specify "S256" when using PKCE for their authorization requests

Client Management

• Using "Client ID Alias"
• Token management policy when deleting clients
• Authlete's policy on managing clients which have been authorized by user
• Client Attributes

Authorization Requests

• Ticket Parameter in Authorization Endpoint
• When seeing the error of "There is no entity having the ticket specified..."
• Using Request Objects
• Pushed Authorization Requests (PAR)
• Rich Authorization Requests (RAR)
• JWT Secured Authorization Requests (JAR)
• Resources Indicator

User Authentication

• Using OAuth 2.0 for User Authentication

Error Handling

• Generating error response using "fail" API
• Interpreting Authlete's result codes
• Suppressing error details in responseContent

Client Authentication

• Configuring client authentication
• Client authentication using client_secret_jwt method
• Client authentication using private_key_jwt method
• Client authentication using tls_client_auth method
• Strict checking on client authentication parameters

Introspection

• Introspection response for expired access token
• Checking if an access token has particular scopes
• Use cases for two introspection APIs

Userinfo Endpoint

• Access token verification in Userinfo API

JARM

• Enabling JARM

Device Flow (RFC 8628)

• Enabling “device flow”