logo

Token duration per scope

Table of Contents

Token duration per scope

Overview

This document explains access/refresh token duration per scope.

This feature is available since Authlete 2.0.

Introduction

In Authlete 1.1, access (refresh) token duration can only be set for each service. Since Authlete 2.0, it can be set for each scope . This allows more granular token duration settings such as “making token duration shorten when the write scope is requested, since tokens issued with the write scope are considered to have a higher level permission than others”.

How to determine token duration

See “How Authlete determines token duration”.

Configuration

To use this feature, you need to set scope attributes on service owner console. For more details, see “Scope attributes”.

token-duration-per-scope_1

Example

Assume there are a service and two scopes configured within it. Values of access token duration are set to the service and the scopes as follows.

Entity Access token duration (seconds)
Service 86,400
read scope 3,600
write scope 600

Under this condition, Authlete’s /auth/authorization/issue API make the following responses to implicit grant flow authorization requests using either combination of scopes.

1. Response to an authorization request with no scopes

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 86400,
    "responseContent": "https://client.example.org/cb/example.com
        #access_token=xbNhif-bsWOPyRasrEFUFurBSQUHnarjv6sMz8cSDjg
        &token_type=Bearer
        &expires_in=86400
        &scope=",
    ...
}

=> The access token duration for the service is used.

2. Response to an authorization request with “read” scope

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 3600,
    "responseContent": "https://client.example.org/cb/example.com
                        #access_token=8ihMgxhMf-HYBy-O2rYVlMHEQD7WcvFGUhaXfP3YZHs
                        &token_type=Bearer
                        &expires_in=3600
                        &scope=read",

    ...
}

=> The access token duration for read scope is used.

3. Response to an authorization request with “write” scope

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 600,
    "responseContent": "https://client.example.org/cb/example.com#access_token=lZ4rjCLlwDvgO2wgOaXhDhNGMhpUE_yGi3pyTPcHFyU
    &token_type=Bearer
    &expires_in=600
    &scope=write",
    ...
}

=> The access token duration for write scope is used.

4. Response to an authorization request with “read” and “write” scopes

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration":600,
    "responseContent": "https://client.example.org/cb/example.com     #access_token=3zQNzTiX5MUxO1Gy0ZFfD7mhn3U1Cg3Q15rhjNob6uc
    &token_type=Bearer
    &expires\_in=600
    &scope=read+write,
"    ...
}

=> The access token duration for write scope is used.