Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This access token does not contain any information about the user except the ID (sub / subject).

Claims in access token

Certain claims can be limited by size in the access token, to avoid HTTP header oversize in some situations. Each claim type can be limited by setting the size limit in KB setting in the claim configuration user interface. Any value above 0 will limit the size.

If the size is reached on a claim type, the claim type claim_type_limit_reached is automatically added to the token. The claim contains a string or list of claim types that reached the limit. The claim type is still added but only filled with elements up to the limitation. It’s advised to load the data over the user info endpoint in this case. This behavior can help mitigate edge case, such as a user with several hundreds of delegations and an infrastructure that limits the HTTP header to 4 KB.

Identity Token

Whenever an application requires any information about the user that was authenticated, it should use the OpenID Connect Protocol to get an ID token. This ID token contains the requested information about a user such as the first or last name.

...

Both the id token and the access token usually are only valid for a number of seconds as indicated in the exp claim. In order to prolong the access token, there is the concept of a refresh token that can be user used to request a new access token without the users interaction. This allows an application to act on behalf of the user even beyond the users interaction. This is done by issuing a refresh token to the application. The application then can exchange that refresh token for a new access token.

Refresh Token Settings

Managing the lifetime of a refresh token is crucial for maintaining an application's security and usability. Here, the terms absolute and sliding refer to the refresh token's expiration settings.

Absolute expiration is a fixed period after which a token will expire, regardless of the user activity. Once set, the expiration time cannot be changed. This setting is crucial for scenarios where a strict policy on token lifetime is necessary due to security considerations.

For example, you might configure a refresh token to have an absolute expiration time of 30 days. Regardless of how often the user uses the token within those 30 days, it will expire at the end of that period.

...

Sliding expiration extends the expiration period of a token when newly issued (by the amount specified in the client configuration). This setting is useful for user experience, as active users do not need to re-authenticate or refresh their tokens as frequently.

For instance, if a sliding expiration is set for 5 days, and the user interacts with the application within those 5 days, the expiration time is reset to another 5 days from the last access, not exceeding a maximum limit if one is set (like 90 days).

...

Note

Important: You can combine the absolute expiration period with the sliding expiration period. Note that the absolute expiration serves as a hard limit of the tokens total lifetime. That means, that the sliding mechanism can extend the tokens duration, as long as it doesn’t exceed the absolute expiration period.

...

Note

Important: The clients needs to be explicitly authorized to request refresh tokens by setting AllowOfflineAccess to true.

Scenarios

E-Goverment: An example might be a user filling out a tax form. In this case, security is of high importance. The following settings might be helpful: Absolut for 4 hours and Sliding for 1 hour. In this case, requesting a new refresh and access token can be done 4 times, as the absolute expiration is set for 4 hours and the sliding setting is set for 1 hour.

Enterprise: An example might be an employee working with Atlassian Jira. In this case, security is of high importance, and so is user experience. The following settings might be helpful: Absolute for 8 hours and Sliding for 1 hour. In this case, requesting a new refresh and access token can be done 8 times, as the absolute expiration is set for 8 hours and the sliding setting is set for 1 hour.

Consumer: An example might be a regular user browsing a social media platform like Instagram. The user experience takes precedence. The following settings are recommended: Absolut for 1 Month and Sliding for 1 hour. These settings allow for a significant number of 720 requests for a new refresh and access token, as the absolute expiration is set for 1 Month (~approx. 720 hours) and the sliding setting is set for 1 hour.

Self-Contained vs Reference Token

A selfSelf-contained tokens are tokens that contain the claims inside a protected structure such as an JSON Web Token. The recipient of the token has all the information needed inside the token.

On the other hand, a reference token, or sometimes called opaque token, does not contain any information except the reference. This reference, an infeasible-to-guess id, can be used to access the token service in exchange for the required information by using a back-channel communication. Even tough though this requires additional calls to the token service, it offers greater security as the token service can immediately revoke tokens as the resource has to go through the resource service each time it needs to validate access.

To use the reference token, go into Admin UI; in the option “Access token type“, select the Reference option on the token tab.
In order to get the user claims, a call to the userinfo endpoint ({{idp_url}}/connect/userinfo) with a valid access token is needed.