- Access Tokens
- Refresh Tokens
- ID Tokens
- Proof-of-Possession (PoP) Tokens
- PKCE (RFC 7636)
- Client Management
- Authorization Requests
- User Authentication
- Error Handling
- Client Authentication
- Userinfo Endpoint
- Device Flow (RFC 8628)
Enabling single access token per subject
Authlete issues a new access token for each time when the same user grants authorization request from a client (i.e. authorization server calls Authlete's /auth/authorization/issue API with the same "subject" value).
By default, Authlete doesn't invalidate tokens that are related to the user and have been issued before. Thus the client eventually has multiple valid tokens at the same time.
In some environment, authorization server is required not to issue multiple valid tokens in such a way. For Authlete to achieve this, it provides "Single Access Token Per Subject" option is Service Owner Console.
Once enabled, Authlete invalidates previous tokens in conjunction with issuing a new token. It ensures the newest token is the only valid one.
How did we do with this article?