- Managing issued tokens granted by each user (obtaining a list of clients, and updating scopes and revoking permissions for a particular client)
- Authlete's policy on sweeping unused tokens
- How to specify token(s) on updating its information
- Changing token duration
- How Authlete determines token duration
- Token duration per scope
- Token duration per client
- Token revocation policy
- Access Tokens
- Refresh Tokens
- ID Tokens
- PKCE (RFC 7636)
- Client Management
- Authorization Endpoint
- User Authentication
- Error Handling
- Client Authentication
- Userinfo Endpoint
How Authlete determines token duration
Authlete determines duration of effective time of tokens (access tokens and refresh tokens) when issuing them. This article explains how Authlete versions calculate token duration (hereinafter duration).
Authlete uses a value of token duration configured for a service. The value is set as an initial value of duration.
Authlete 2.0 supports token duration per scope. In addition to the calculation process in Authlete 1.x, Authlete performs the following calculation steps.
- Check which scopes are requested by clients
- If token duration is set for any of the requested scopes (see this for more details), perform the following steps.
- Get the minimum value out of all the token duration that are set for those scopes.
- If the value obtained above is smaller than the current duration, Authlete sets the smaller value for the new duration.
Authlete 2.1 and later supports token duration per client. In addition to the calculation processes in Authlete 1.x and 2.0 above, Authlete performs another calculation step.
- Check which client is the requestor
- If token duration is set for the requesting client (see this for more details), Authlete compares the value with the current duration and sets the smaller one for the new duration.
How did we do with this article?