- Managing issued tokens granted by each user (obtaining a list of clients, and updating scopes and revoking permissions for a particular client)
- Hybrid Flow: Issuing access tokens with subset of requested scopes
- Authlete's policy on sweeping unused tokens
- Introspection response for expired access token
- Refreshing a refresh token when the grant type is "refresh_token"
- How to specify token(s) on updating its information
- Getting a list of issued access tokens
- Enabling single access token per subject
- Ticket Parameter in Authorization Endpoint
- Changing signing key for ID token
- Client Management
- Error Handling
- Client Authentication
- Userinfo Endpoint
Authlete's policy on managing clients which have been authorized by user
An Authlete-powered authorization server can leverage /client/authorization/get/list API to retrieve a list of clients which has been authorized by a specific user.
In order to make the list, Authlete checks its token database to see which clients' tokens are stored. Expiration time for each token doesn't matter i.e. existence of tokens is only considered.
Authlete provides your authorization server with an API response including information on clients correlated with access tokens and/or refresh tokens which have been stored in Authlete's token database. The following conditions affect existence of tokens in the database.
Either one of an access token or a refresh token is valid (not expired)
The valid token is surely stored in the database. Thus Authlete provides information on the client correlated with the token.
Both an access token and a refresh token are expired
Even in such case, Authlete provides information on the client correlated with the expired tokens if they have been still stored (i.e. not been swept) in the token database. Authlete removes such expired tokens when:
- Accepting /api/auth/introspection request that contains the access token
- Executing batch removal (cleanup) process
- Accepting explicit removal request e.g. /api/client/authorization/delete API
How did we do with this article?