- Managing issued tokens granted by each user (obtaining a list of clients, and updating scopes and revoking permissions for a particular client)
- Hybrid Flow: Issuing access tokens with subset of requested scopes
- Authlete's policy on sweeping unused tokens
- Introspection response for expired access token
- Refreshing a refresh token when the grant type is "refresh_token"
- How to specify token(s) on updating its information
- Getting a list of issued access tokens
- Enabling single access token per subject
- Ticket Parameter in Authorization Endpoint
- Changing signing key for ID token
- Client Management
- Error Handling
- Client Authentication
- Userinfo Endpoint
Hybrid Flow: Issuing access tokens with subset of requested scopes
You can use OpenID Connect's "Hybrid" flow to issue two access tokens for a client which constitutes a native application (e.g. mobile app) and an web application (e.g. app backend) with single authorization request. In some cases you might want to issue an access token with subset of requested scopes for the native app to minimize security risks in such a public client.
Authlete itself doesn't manage subsets of scopes though, you can generate narrow-scoped access tokens by doing an additional API request from your authorization server frontend to Authlete after minting tokens.
How did we do with this article?