Table of Contents
In Authlete 3.0, token durations can be configured at multiple levels, including the Service level and the Client level. These durations can be set statically at these levels or configured dynamically based on specific scopes. For more details on dynamic configuration, refer to the Token Duration Per Scope documentation.
This short article explains how to set token durations for access tokens and refresh tokens at the client level.
To configure the token duration for access tokens or refresh tokens, follow these steps:
Assume there is a service and two clients registered with it. The values of the access token duration are configured as follows:
| Entity | Access Token Duration (seconds) |
|---|---|
| Service | 86,400 |
| Client 1 | (not set) |
| Client 2 | 3,000 |
Under these conditions, Authlete’s /auth/authorization/issue API responds to implicit grant flow authorization requests from the clients as follows:
{
"type": "authorizationIssueResponse",
"accessTokenDuration": 86400,
"responseContent": "https://client.example.org/cb/example.com
#access_token=1zT0XRynwLryWYRKCYSDjrwku5sD-WQTCtC1tnfExZE
&token_type=Bearer
&expires_in=86400
&scope=openid"
}
Explanation: The access token duration for the Service is used since no value is configured for Client 1.
{
"type": "authorizationIssueResponse",
"accessTokenDuration": 3000,
"responseContent": "https://client.example.org/cb/example.com
#access_token=xg79MJucCq8f8QPA2_o9_q5nfzgbRQycgVwYSvMSWTY
&token_type=Bearer
&expires_in=3000
&scope=openid"
}
Explanation: The access token duration for Client 2 is used since it is explicitly set.