- Managing issued tokens granted by each user (obtaining a list of clients, and updating scopes and revoking permissions for a particular client)
- Authlete's policy on sweeping unused tokens
- How to specify token(s) on updating its information
- Token duration per scope
- Changing token duration
- How to calculate token duration
- Access Tokens
- Refresh Tokens
- ID Tokens
- PKCE (RFC 7636)
- Client Management
- Authorization Endpoint
- User Authentication
- Error Handling
- Client Authentication
- Userinfo Endpoint
Changing token duration
After changing "token duration" settings on an Authlete service that has been issuing tokens, Authlete will:
- Preserve duration settings for tokens previously issued
- Apply the new duration settings for tokens to be issued after the change
This article explains how the settings affect access tokens and refresh tokens.
The new duration settings are to be applied on (re)issuing access tokens on token requests with various grant types including refresh token grant.
The change may affect refresh tokens based on "Refresh Token Continuous Use" settings.
- If "Kept" is selected, the new duration won't be effective until the existing refresh token is expired and reissued.
- If "Not kept" is selected, the new duration is effective for a new refresh token that is to be issued along with a new access token on refresh token grant (using the old refresh token).
How did we do with this article?