An Access Token is a short-lived credential that can be used by an application to access an API. Its purpose is to inform that the bearer of this token has
been authorized to access a specific API. Access Tokens should be sent to an API according to the
Bearer token Usage specification. Specifically, the Access Token should be sent to the API in the HTTP
Refer to the API reference how to obtain an access token.
The Opaque access token is a random, 32-bits hex-encoded, string (64 characters). It does not contain any information about the validity of the token. The Opaque token is returned to all clients of a Mobile app and to the Web clients for which the Opaque token is configured.
Example Opaque Access Token
JSON Web Token (JWT)
OneWelcome Access can issue a JWT as access token. However, the receiver does not have to treat it as a JWT but can also treat it as an opaque token and present it to OneWelcome Access for validation. Refer to the Token Introspection documentation for details on validation an access token.
The JWT token is returned when this is configured for a web client. It contains the user identifier when the access token is created for a specific user.
Example JWT Access Token
In this section you can see an example of a JWT Access Token. A JWT contains three sections: a header, a payload and a signature. Only the header and payload sections are displayed in the example below.
"scope" : "profile read",
The payload of a JWT Access Token contains a number of claims. These claims can be used to validate the Access Token but also tell for whom and what authorizations have been granted.
|Version indication for this Access Token
|JWT ID. A unique identifier of this JWT
|Issuer of this Access Token
|Audiences that this token is intended for
|Time the Access Token was issued
|Time before which the Access Token is not valid
|Time the Access Token expires
|Client ID of the client that requested the Access Token
|String value containing a space-separated list of scopes that were granted for this Access Token.
|[Deprecated] Array of scopes that were granted for this Access Token.
|Usage Limit. Integer value that represents the usage limit for this Access Token
|[DEPRECATED] Stringified representation of the user's group memberships and permissions. Requires configuration of Delegated Administration.
group_permissions is omitted when the size of the JWT Access Token exceeds the limit. This is to prevent that the JWT Access Token cannot be used to request data. When a
group_permissions is expected, but it exceeds the limit, it can be requested via the token introspection endpoint. This claim will only be returned when the OAuth Client requesting the Access Token will have
Group permissions version set to 'Legacy: V1' within its client configuration.
|User's policies and group memberships. Requires configuration of the Delegated Administration.
urn:onegini.com:oidc:group_policies is omitted when the size of the JWT Access Token exceeds the limit. This is to prevent that the JWT Access Token cannot be used to request data. If the length of the token is exceed, the
urn:onegini.com:oidc:group_policies claim can be requested via the token introspection or user-info endpoints or included in the id-token.