- Access Tokens
- Refresh Tokens
- ID Tokens
- Proof-of-Possession (PoP) Tokens
- PKCE (RFC 7636)
- Client Management
- Authorization Requests
- User Authentication
- Error Handling
- Client Authentication
- Userinfo Endpoint
- Device Flow (RFC 8628)
How Authlete determines token duration
Authlete determines duration of effective time of tokens (access tokens and refresh tokens) when issuing them. This article describes how Authlete versions calculate token duration (hereinafter duration).
Authlete uses a value of token duration configured for a service. The value is set as an initial value of duration.
Authlete 2.0 supports token duration per scope. In addition to the calculation process in Authlete 1.x, Authlete performs the following calculation steps.
- Check which scopes are requested by clients
- If token duration is set for any of the requested scopes (see this for more details), perform the following steps.
- Get the minimum value out of all the token duration that are set for those scopes.
- If the value obtained above is smaller than the current duration, Authlete sets the smaller value for the new duration.
Authlete 2.1 and later
Authlete 2.1 and later supports token duration per client. In addition to the calculation processes in Authlete 1.x and 2.0 above, Authlete performs another calculation step.
- Check which client is the requestor
- If token duration is set for the requesting client (see this for more details), Authlete compares the value with the current duration and sets the smaller one for the new duration.
How did we do with this article?