Access Token
An Access Token is a short-lived credential that can be used by an application to access an API. It's purpose is to inform that the bearer of this token has been authorized to access a specific API.
Access Tokens should be sent to an API according to the Bearer token Usage specification. Specifically, the Access Token should be sent to the API in the HTTP Authorization
header.
Static clients
The Token Server issues a JWT as access token. Howver, the receiver does not have to treat it as a JWT but can also treat it as an opaque token and present it to the Token Server for validation. See the Token Introspection documentation for details on validation an access token.
Example JWT Access Token
In this section you can see an example of a JWT Access Token. A JWT contains three sections: a header, a payload and a signature. Only the header and payload sections are displayed in the example below.
Header
{
"kid": "f463bf2c-81a6-4979-82a5-aa5d032b6fe5",
"alg": "RS256"
}
Payload
{
"ver": 1,
"jti": "AT.d405c8b0-2afc-4720-a567-e890fecd28b2",
"iss": "https://token-server.onegini.com/oauth",
"aud": "profile-api",
"iat": 1537437991,
"nbf": 1537437991,
"exp": 1537441591,
"cid": "example-client",
"scp": [
"profile",
"read"
],
"sub": "1c0e2c84-b05f-4c23-9175-c238f70901be",
"usl": 5
}
The payload of a JWT Access Token contains a number of claims. These claims can be used to validate the Access Token but also tell for whom and what authorizations have been granted.
Claim | Description |
---|---|
ver | Version indication for this Access Token |
jti | JWT ID. A unique identifier of this JWT |
iss | Issuer of this Access Token |
aud | Audiences that this token is intended for |
iat | Time the Access Token was issued |
nbf | Time before which the Access Token is not valid |
exp | Time the Access Token expires |
cid | Client ID of the client that requested the Access Token |
scp | Array of scopes that were granted for this Access Token |
sub | User Identifier |
usl | Usage Limit. Integer value that represents the usage limit for this Access Token |
Dynamic clients
Due to the limitation on the SDK side, the Token Server issues opaque tokens for dynamic clients.
Example Opaque Access Token
The token server generates opaque access token as a 32b hex-encoded string (64 chars).
E19C77561880BBF24F9E60B0D9051401FE2216A93F8683438A0DF2169CFE078F