Update Access Token

An access token.

A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01). If the accessTokenExpiresAt request parameter is not included in a request or its value is 0 (or negative), the expiration date of the access token is not changed.

A boolean request parameter which indicates whether the API attempts to update the expiration date of the access token when the scopes linked to the access token are changed by this request.

The hash of the access token value. Used when the hash of the token is known (perhaps from lookup) but the value of the token itself is not. The value of the accessToken parameter takes precedence.

A boolean request parameter which indicates whether to update the value of the access token in the data store. If this parameter is set to true then a new access token value is generated by the server and returned in the response.

The flag which indicates whether the access token expires or not. By default, all access tokens expire after a period of time determined by their service. If this request parameter is true then the access token will not automatically expire and must be revoked or deleted manually at the service.

If this request parameter is true, the accessTokenExpiresAt request parameter is ignored. If this request parameter is false, the accessTokenExpiresAt request parameter is processed normally.

The thumbprint of the MTLS certificate bound to this token. If this property is set, a certificate with the corresponding value MUST be presented with the access token when it is used by a client. The value of this property must be a SHA256 certificate thumbprint, base64url encoded.

The thumbprint of the public key used for DPoP presentation of this token. If this property is set, a DPoP proof signed with the corresponding private key MUST be presented with the access token when it is used by a client. Additionally, the token's token_type will be set to 'DPoP'.

the flag which indicates whether the access token is for an external attachment.

A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01). If the refreshTokenExpiresAt request parameter is not included in a request or its value is 0 (or negative), the expiration date of the refresh token is not changed.

A boolean request parameter which indicates whether the API attempts to update the expiration date of the refresh token when the scopes linked to the refresh token are changed by this request.

The token identifier.

The code which represents the result of the API call.

A short message which explains the result of the API call.

The next action that the authorization server implementation should take.

The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter.

The value of username request parameter in the token request. The client application must specify username when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, username request parameter must come along.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

The value of password request parameter in the token request. The client application must specify password when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, password request parameter must come along.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

The ticket which is necessary to call Authlete's /auth/token/fail API or /auth/token/issue API.

This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

The newly issued access token.

The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

The duration of the newly issued access token in seconds.

The newly issued refresh token.

The datetime at which the newly issued refresh token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

The duration of the newly issued refresh token in seconds.

The newly issued ID token. Note that an ID token is issued from a token endpoint only when the response_type request parameter of the authorization request to an authorization endpoint has contained code and the scope request parameter has contained openid.

The grant type of the token request.

The client ID.

The client ID alias when the token request was made. If the client did not have an alias, this parameter is null. Also, if the token request was invalid and it failed to identify a client, this parameter is null.

The flag which indicates whether the client ID alias was used when the token request was made. true if the client ID alias was used when the token request was made.

The subject (= resource owner's ID) of the access token. Even if an access token has been issued by the call of /api/auth/token API, this parameter is null if the flow of the token request was Client Credentials Flow (grant_type=client_credentials) because it means the access token is not associated with any specific end-user.

The newly issued access token in JWT format. If the authorization server is configured to issue JWT-based access tokens (= if the service's accessTokenSignAlg value is a non-null value), a JWT-based access token is issued along with the original random-string one.

The client authentication method that was performed at the token endpoint.

the value of the grant_id request parameter of the device authorization request.

The grant_id request parameter is defined in Grant Management for OAuth 2.0 , which is supported by Authlete 2.3 and newer versions.

The grant type of the access token when the access token was created.

The grant type of the access token when the access token was created.

The grant type of the access token when the access token was created.

For RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

Indicate whether the previous refresh token that had been kept in the database for a short time was used

The entity ID of the client.

Flag which indicates whether the entity ID of the client was used when the request for the access token was made.

Duration of the c_nonce in seconds.

Get the expected nonce value for DPoP proof JWT, which should be used as the value of the DPoP-Nonce HTTP header.

Get the c_nonce.

Get the time at which the c_nonce expires in milliseconds since the Unix epoch (1970-01-01).

The session ID, which is the ID of the user's authentication session, associated with a newly created access token.

If the response from the /auth/token API contains the deviceSecret parameter, its value should be used as the value of this deviceSecret request parameter to the /nativesso API. The authorization server may choose to issue a new device secret; in that case, it is free to generate a new device secret and specify the new value.

If the response from the /auth/token API does not contain the deviceSecret parameter, or if its value is invalid, the authorization server must generate a new device secret and specify it in the deviceSecret parameter to the /nativesso API.

The specified value is used as the value of the device_secret property in the token response.

The authorization server should compute the hash value of the device secret based on its own logic and specify the computed hash as the value of this deviceSecretHash request parameter to the /nativesso API.

When the deviceSecretHash parameter is omitted, the implementation of the /nativesso API generates the device secret hash by computing the SHA-256 hash of the device secret and encoding it with base64url. Note that this hash computation logic is not a rule defined in the Native SSO specification; rather, it is Authlete-specific fallback logic used when the deviceSecretHash parameter is omitted.