Token duration per scope
Overview
This document explains access/refresh token duration per scope.
Introduction
In Authlete 1.1, access (refresh) token duration can only be set for each service. Since Authlete 2.0, it can be set for each scope. This allows more granular token duration settings such as "making token duration shorten when the write scope is requested, since tokens issued with the write scope are considered to have a higher level permission than others".
How to determine token duration
Configuration
To use this feature, you need to set scope attributes on service owner console. For more details, see "Scope attributes".

Example
Assume there are a service and two scopes configured within it. Values of access token duration are set to the service and the scopes as follows.
Entity |
Access token duration (seconds) |
Service |
86,400 |
read scope |
3,600 |
write scope |
600 |
Under this condition, Authlete's /auth/authorization/issue API make the following responses to implicit grant flow authorization requests using either combination of scopes.
1. Response to an authorization request with no scopes
{ "type":"authorizationIssueResponse", "accessTokenDuration":86400, "responseContent":"https://client.example.org/cb/example.com #access_token=xbNhif-bsWOPyRasrEFUFurBSQUHnarjv6sMz8cSDjg &token_type=Bearer &expires_in=86400 &scope=", ... }
=> The access token duration for the service is used.
2. Response to an authorization request with “read” scope
{ "type":"authorizationIssueResponse", "accessTokenDuration":3600, "responseContent":"https://client.example.org/cb/example.com #access_token=8ihMgxhMf-HYBy-O2rYVlMHEQD7WcvFGUhaXfP3YZHs &token_type=Bearer &expires_in=3600 &scope=read", ... }
=> The access token duration for read scope is used.
3. Response to an authorization request with “write” scope
{ "type":"authorizationIssueResponse", "accessTokenDuration":600, "responseContent":"https://client.example.org/cb/example.com# access_token=lZ4rjCLlwDvgO2wgOaXhDhNGMhpUE_yGi3pyTPcHFyU &token_type=Bearer &expires_in=600 &scope=write", ... }
=> The access token duration for write scope is used.
4. Response to an authorization request with “read” and “write” scopes
{ "type":"authorizationIssueResponse", "accessTokenDuration":600, "responseContent":"https://client.example.org/cb/example.com #access_token=3zQNzTiX5MUxO1Gy0ZFfD7mhn3U1Cg3Q15rhjNob6uc &token_type=Bearer &expires_in=600 &scope=read+write", ... }
=> The access token duration for write scope is used.
How did we do with this article?