Table of Contents
Token duration per client
Preface
This article describes instructions on how to configure access/refresh token duration per client. See “How Authlete determines token duration " for details on token duration.
This feature is available since Authlete 2.1.
Configuration
Only service owners can configure the following settings.
Here are steps to configure access/refresh token duration per client.
- Go to the client developer console and log in as a service owner (i.e. using the pair of API key and secret of the service as login credentials).
- Open the client edit page and click “Extension ” tab so that you can see token duration settings. Enter values for “Access Token Duration In seconds” and “Refresh Token Duration In seconds” fields.
Example
Assume there are a service and two clients registered with it. Values of access token duration are set to some of the entities as follows.
| Entity | Access token duration (seconds) |
|---|---|
| Service | 86,400 |
| Client 1 | (not set) |
| Client 2 | 3,000 |
Under this condition, Authlete’s /auth/authorization/issue API make the following responses to implicit grant flow authorization requests sent from each of the clients.
1. Response to an authorization request from Client 1
{
"type": "authorizationIssueResponse",
"accessTokenDuration": 86400,
"responseContent": "https://client.example.org/cb/example.com
#access_token=1zT0XRynwLryWYRKCYSDjrwku5sD-WQTCtC1tnfExZE
&token_type=Bearer
&expires_in=86400
&scope=openid"
}
=> The access token duration for the Service is used.
2. Response to an authorization request from Client 2
{
"type": "authorizationIssueResponse",
"accessTokenDuration": 3000,
"responseContent": "https://client.example.org/cb/example.com
#access_token=xg79MJucCq8f8QPA2_o9_q5nfzgbRQycgVwYSvMSWTY
&token_type=Bearer
&expires_in=3000
&scope=openid"
}
=> The access token duration for the Client 2 is used.