Token duration per scope

Overview


This document explains access/refresh token duration per scope. 


Introduction


In Authlete 1.1, access (refresh) token duration can only be set for each service. Since Authlete 2.0, it can be set for each scope. This allows more granular token duration settings such as "making token duration shorten when the write scope is requested, since tokens issued with the write scope are considered to have a higher level permission than others". 

How to determine token duration


Configuration


To use this feature, you need to set scope attributes on service owner console. For more details, see "Scope attributes".
image.png 49.3 KB


Example


Assume there are a service and two scopes configured within it. Values of access token duration are set to the service and the scopes as follows.
Entity
Access token duration (seconds)
Service
86,400
read scope
3,600
write scope
600


Under this condition, Authlete's /auth/authorization/issue API make the following responses to implicit grant flow authorization requests using either combination of scopes.

1. Response to an authorization request with no scopes

{
  "type":"authorizationIssueResponse",
  "accessTokenDuration":86400,
  "responseContent":"https://client.example.org/cb/example.com
    #access_token=xbNhif-bsWOPyRasrEFUFurBSQUHnarjv6sMz8cSDjg
     &token_type=Bearer
     &expires_in=86400
     &scope=",
  ...
}

=> The access token duration for the service is used.

2. Response to an authorization request with “read” scope

{ 
  "type":"authorizationIssueResponse",
  "accessTokenDuration":3600,
  "responseContent":"https://client.example.org/cb/example.com
    #access_token=8ihMgxhMf-HYBy-O2rYVlMHEQD7WcvFGUhaXfP3YZHs
     &token_type=Bearer
     &expires_in=3600
     &scope=read",
  ...
}

=> The access token duration for read scope is used.

3. Response to an authorization request with “write” scope

{ 
  "type":"authorizationIssueResponse",
  "accessTokenDuration":600,
  "responseContent":"https://client.example.org/cb/example.com#
    access_token=lZ4rjCLlwDvgO2wgOaXhDhNGMhpUE_yGi3pyTPcHFyU
     &token_type=Bearer
     &expires_in=600
     &scope=write",
  ...
}

=> The access token duration for write scope is used.

4. Response to an authorization request with “read” and “write” scopes 

{
  "type":"authorizationIssueResponse",
  "accessTokenDuration":600,
  "responseContent":"https://client.example.org/cb/example.com
    #access_token=3zQNzTiX5MUxO1Gy0ZFfD7mhn3U1Cg3Q15rhjNob6uc
     &token_type=Bearer
     &expires_in=600
     &scope=read+write",
  ...
}

=> The access token duration for write scope is used.
How did we do with this article?