Access Token¶
An Access Token is a short-lived credential that can be used by an application to access an API. Its purpose is to inform that the bearer of this token has been
authorized to access a specific API. Access Tokens should be sent to an API according to the
Bearer token Usage specification. Specifically, the Access Token should be sent to the API in the HTTP Authorization
header.
Refer to the API reference how to obtain an access token.
Opaque token¶
The Opaque access token is a random, 32-bits hex-encoded, string (64 characters). It does not contain any information about the validity of the token. The Opaque token is returned to all clients of a Mobile app and to the Web clients for which the Opaque token is configured.
Example Opaque Access Token¶
E19C77561880BBF24F9E60B0D9051401FE2216A93F8683438A0DF2169CFE078F
JSON Web Token (JWT)¶
The Token Server can issue a JWT as access token. However, the receiver does not have to treat it as a JWT but can also treat it as an opaque token and present it to the Token Server for validation. Refer to the Token Introspection documentation for details on validation an access token.
The JWT token is returned when this is configured for a web client. It contains the user identifier when the access token is created for a specific user.
Example JWT Access Token¶
In this section you can see an example of a JWT Access Token. A JWT contains three sections: a header, a payload and a signature. Only the header and payload sections are displayed in the example below.
Header¶
{
"kid": "f463bf2c-81a6-4979-82a5-aa5d032b6fe5",
"alg": "RS256"
}
Payload¶
{
"ver": 1,
"jti": "AT.d405c8b0-2afc-4720-a567-e890fecd28b2",
"iss": "https://token-server.onegini.com/oauth",
"aud": "profile-api",
"iat": 1537437991,
"nbf": 1537437991,
"exp": 1537441591,
"cid": "example-client",
"scp": [
"profile",
"read"
],
"scope": "profile read",
"sub": "1c0e2c84-b05f-4c23-9175-c238f70901be",
"usl": 5
}
The payload of a JWT Access Token contains a number of claims. These claims can be used to validate the Access Token but also tell for whom and what authorizations have been granted.
| Claim | Description |
|---|---|
| ver | Version indication for this Access Token |
| jti | JWT ID. A unique identifier of this JWT |
| iss | Issuer of this Access Token |
| aud | Audiences that this token is intended for |
| iat | Time the Access Token was issued |
| nbf | Time before which the Access Token is not valid |
| exp | Time the Access Token expires |
| cid | Client ID of the client that requested the Access Token |
| scope | String value containing a space-separated list of scopes that were granted for this Access Token. |
| scp | [Deprecated] Array of scopes that were granted for this Access Token. |
| sub | User Identifier |
| usl | Usage Limit. Integer value that represents the usage limit for this Access Token |
| group_permissions | Group memberships and permissions. Requires configuration of the DUM Engine. The claim group_permissions is omitted when the size of the JWT Access Token exceeds the limit. This is to prevent that the JWT Access Token cannot be used to request data. When a group_permissions is expected, but it exceeds the limit, it can be requested via the token introspection endpoint. |