Table of Contents

Token Duration Per Scope

Overview

In Authlete 3.0, token durations can be configured at the Service level, Client level, and Scope level. Configuring token durations per scope provides fine-grained control, such as issuing shorter-lived tokens for higher-privilege scopes like write while allowing longer durations for lower-privilege scopes like read.

For more details on configuring token durations statically at the client level, refer to the Token Duration Per Client documentation.

This short article explains how to set token durations for access tokens at the scope level.

Configuring Token Duration Per Scope

To configure token durations for specific scopes in Authlete 3.0, follow these steps:

Log in to the Authlete Management Console.
Navigate to Service Settings > Tokens and Claims > Advanced.
Under the Supported Scopes section, click the Add button.

In the Add/Edit Supported Scope dialog:
- Enter the Scope Name (e.g., read or write).
- Provide a description for the scope.
Scroll to the Scope Attributes section.
Click Add to add a new attribute:
- Set the Key to access_token.duration.
- Set the Value to the desired token duration in seconds (e.g., 3600 for 1 hour).
Click Add again at the bottom of the dialog to save the scope attribute.

Example

Assume there is a service and two scopes configured within it. The access token durations are set as follows:

Entity	Access Token Duration (seconds)
Service	86,400
`read` scope	3,600
`write` scope	600

Under these conditions, Authlete’s /auth/authorization/issue API responds to implicit grant flow authorization requests based on the scopes provided.

1. Response to an authorization request with no scopes

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 86400,
    "responseContent": "https://client.example.org/cb/example.com
        #access_token=xbNhif-bsWOPyRasrEFUFurBSQUHnarjv6sMz8cSDjg
        &token_type=Bearer
        &expires_in=86400
        &scope=",
    ...
}

Explanation: The access token duration for the service is used since no scopes are provided.

2. Response to an authorization request with `read` scope

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 3600,
    "responseContent": "https://client.example.org/cb/example.com
                        #access_token=8ihMgxhMf-HYBy-O2rYVlMHEQD7WcvFGUhaXfP3YZHs
                        &token_type=Bearer
                        &expires_in=3600
                        &scope=read",
    ...
}

Explanation: The access token duration for the read scope is used.

3. Response to an authorization request with `write` scope

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 600,
    "responseContent": "https://client.example.org/cb/example.com#access_token=lZ4rjCLlwDvgO2wgOaXhDhNGMhpUE_yGi3pyTPcHFyU
    &token_type=Bearer
    &expires_in=600
    &scope=write",
    ...
}

Explanation: The access token duration for the write scope is used.

4. Response to an authorization request with `read` and `write` scopes

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 600,
    "responseContent": "https://client.example.org/cb/example.com
        #access_token=3zQNzTiX5MUxO1Gy0ZFfD7mhn3U1Cg3Q15rhjNob6uc
        &token_type=Bearer
        &expires_in=600
        &scope=read+write",
    ...
}

Explanation: The access token duration for the write scope is used since it has the shortest duration among the requested scopes.