Skip to main content
This page is for Authlete 2.x. For current (3.0) documentation, see this page.

Overview

This document explains access/refresh token duration per scope.
This feature is available since Authlete 2.0.

Introduction

In Authlete 1.1, access (refresh) token duration can only be set for each service. Since Authlete 2.0, it can be set for each scope. This allows more granular token duration settings such as “making token duration shorten when the write scope is requested, since tokens issued with the write scope are considered to have a higher level permission than others”.

How to determine token duration

See How Authlete determines token duration.

Configuration

To use this feature, you need to set scope attributes on service owner console. For more details, see Scope attributes. token-duration-per-scope_1

Example

Assume there are a service and two scopes configured within it. Values of access token duration are set to the service and the scopes as follows.
EntityAccess token duration (seconds)
Service86,400
read scope3,600
write scope600
Under this condition, Authlete’s POST /auth/authorization/issue API makes the following responses to implicit grant flow authorization requests using either combination of scopes.

1. Response to an authorization request with no scopes

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 86400,
    "responseContent": "https://client.example.org/cb/example.com#access_token=xbNhif-bsWOPyRasrEFUFurBSQUHnarjv6sMz8cSDjg&token_type=Bearer&expires_in=86400&scope=",
    "..."
}
=> The access token duration for the service is used.

2. Response to an authorization request with “read” scope

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 3600,
    "responseContent": "https://client.example.org/cb/example.com#access_token=8ihMgxhMf-HYBy-O2rYVlMHEQD7WcvFGUhaXfP3YZHs&token_type=Bearer&expires_in=3600&scope=read",
    "..."
}
=> The access token duration for read scope is used.

3. Response to an authorization request with “write” scope

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 600,
    "responseContent": "https://client.example.org/cb/example.com#access_token=lZ4rjCLlwDvgO2wgOaXhDhNGMhpUE_yGi3pyTPcHFyU&token_type=Bearer&expires_in=600&scope=write",
    "..."
}
=> The access token duration for write scope is used.

4. Response to an authorization request with “read” and “write” scopes

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 600,
    "responseContent": "https://client.example.org/cb/example.com#access_token=3zQNzTiX5MUxO1Gy0ZFfD7mhn3U1Cg3Q15rhjNob6uc&token_type=Bearer&expires_in=600&scope=read+write",
    "..."
}
=> The access token duration for write scope is used.