- Managing issued tokens granted by each user (obtaining a list of clients, and updating scopes and revoking permissions for a particular client)
- Authlete's policy on sweeping unused tokens
- How to specify token(s) on updating its information
- Token duration per scope
- Changing token duration
- How to calculate token duration
- Access Tokens
- Refresh Tokens
- ID Tokens
- PKCE (RFC 7636)
- Client Management
- Authorization Endpoint
- User Authentication
- Error Handling
- Client Authentication
- Userinfo Endpoint
How to specify token(s) on updating its information
With Authlete's API, authorization server can update expiration time, scopes and other values of tokens which have been issued.
There are two methods to specify tokens to be updated; specifying a single token, or specifying a single client and one of users who have granted access to the client.
This article summarizes these methods.
Authlete provides /auth/token/update API. You can modify values e.g. new expiration time ("accessTokenExpiresAt"), new scope ("scopes") etc. in an arbitrary token which has been issued to the client.
In addition, you can store any key/value pairs, which are not related to OAuth 2.0, to Authlete's database as properties ("properties"). This feature is useful when you have some information related to access token and would like to have Authlete to manage them.
Authlete provides /client/authorization/update API. Tokens to be updated are determined with a client ("clientId") and a user ("subject"), one of those who have granted access to the client.
This API is useful when you would like to update all of permissions which a specific user have allowed to a specific client. An example use case is as follows:
- A user grants read-only access to a client for first-time usage. The client obtains a first access token which has "read" scope.
- The user uses the client for some time and comes to consider that he/she can allow the client to update his/her information. Thus the user grants read-write access as well as read-only to the client. The client obtains another new second token which has "read" and "write."
- The user keeps using the client and sometime changes his/her mind. The user would like to revoke the write permission. So the user logs in to authorization server, browses a list of clients connected, and revoke "write" access which has been granted to the client.
The authorization server can leverage the /client/authorization/update API to implement feature of 3 above. It can be done by just hitting this API with a new scope value ("read"), rather than doing search-and-update for each token.
For your reference, there is an example in another article (Managing issued tokens granted by each user), section "Updating authorization scopes for one of clients which have been authorized by a user".
How did we do with this article?