Authlete
|
Request to Authlete's /api/auth/token/create
API. The API can be used to create an arbitrary access token without using standard flows.
More...
Properties | |
GrantType | GrantType [get, set] |
The grant type to be emulated for a newly created access token. When this property is either GrantType.IMPLICIT or GrantType.CLIENT_CREDENTIALS , a refresh token is not issued. This request parameter is mandatory. More... | |
long | ClientId [get, set] |
The ID of the client application which will be associated with a newly created access token. This request parameter is mandatory. More... | |
string | Subject [get, set] |
The subject (= unique identifier) of the user who will be associated with a newly created access token. This request parameter is required unless the grant type is GrantType.CLIENT_CREDENTIALS . The value must consist of only ASCII characters and its length must not exceed 100. More... | |
string[] | Scopes [get, set] |
The scopes which will be associated with a newly created access token. Scopes that are not supported by the service cannot be specified and requesting them will cause an error. This request parameter is optional. More... | |
long | AccessTokenDuration [get, set] |
The duration of a newly created access token in seconds. If the value is 0 , the duration is determined according to the settings of the service. This request parameter is optional. More... | |
long | RefreshTokenDuration [get, set] |
The duration of a newly created refresh token in seconds. If the value is 0 , the duration is determined according to the settings of the service. This request parameter is optional. More... | |
Property[] | Properties [get, set] |
Extra properties to be associated with a newly created access token. Note that the "properties" request parameter is accepted only when Content-Type of the request is "application/json" , so don't use "application/x-www-form-urlencoded" if you want to use this "properties" request parameter. More... | |
bool | IsClientIdAliasUsed [get, set] |
The flag which indicates whether to emulate that the client ID alias is used instead of the original numeric client ID when a new access token is created. More... | |
string | AccessToken [get, set] |
The value of the new access token. This request parameter is optional. More... | |
string | RefreshToken [get, set] |
The value of the new refresh token. This request parameter is optional. More... | |
bool | IsAccessTokenPersistent [get, set] |
The flag which indicates whether the access token expires or not. More... | |
string | CertificateThumbprint [get, set] |
The thumbprint of the client certificate bound to the token. If this property is set, a certificate whose thumbprint matches the value must be presented with the access token when it is used by a client. More... | |
string | DpopKeyThumbprint [get, set] |
The thumbprint of the public key used for DPoP presentation of the token. If this property is set, a DPoP proof JWT signed with the corresponding private key must be presented with the access token when it is used by a client. More... | |
Request to Authlete's /api/auth/token/create
API. The API can be used to create an arbitrary access token without using standard flows.
|
getset |
The value of the new access token. This request parameter is optional.
The /api/auth/token/create
API generates an access token. Therefore, callers of the API do not have to specify values of newly created access tokens. However, in some cases, for example, if you want to migrate existing access tokens from an old system to Authlete, you may want to specify values of access tokens. In such a case, you can specify the value of a newly created access token by passing a non-null value as the value of the "accessToken"
request parameter. The implementation of the /api/auth/token/create
API uses the value of the "accessToken"
request parameter instead of generating a new value when the request parameter holds a non-null value.
Note that if the hash value of the specified access token already exists in Authlete's database, the access token cannot be inserted and the /api/auth/token/create
API will report an error.
|
getset |
The duration of a newly created access token in seconds. If the value is 0
, the duration is determined according to the settings of the service. This request parameter is optional.
|
getset |
The thumbprint of the client certificate bound to the token. If this property is set, a certificate whose thumbprint matches the value must be presented with the access token when it is used by a client.
See RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) for details.
The value should be a base64url-encoded SHA-256 certificate thumbprint.
Since version 1.4.0.
|
getset |
The ID of the client application which will be associated with a newly created access token. This request parameter is mandatory.
|
getset |
The thumbprint of the public key used for DPoP presentation of the token. If this property is set, a DPoP proof JWT signed with the corresponding private key must be presented with the access token when it is used by a client.
See "OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)" for details.
Since version 1.4.0.
The grant type to be emulated for a newly created access token. When this property is either GrantType.IMPLICIT
or GrantType.CLIENT_CREDENTIALS
, a refresh token is not issued. This request parameter is mandatory.
|
getset |
The flag which indicates whether the access token expires or not.
By default, all access tokens expire after a period of time determined by their service. If this request parameter is true
then the access token will not automatically expire and must be revoked or deleted manually at the service.
If this request parameter is true
, the accessTokenDuration
request parameter is ignored.
Since version 1.3.0.
|
getset |
The flag which indicates whether to emulate that the client ID alias is used instead of the original numeric client ID when a new access token is created.
This has an effect only on the value of the "aud"
claim in a response from a userinfo endpoint. When you access the userinfo endpoint (which is expected to be implemented using Authlete's /api/auth/userinfo
API and /api/auth/userinfo/issue
API) with an access token which has been created using Authlete's /api/auth/token/create
API with this property (IsClientIdAliasUsed
) true
, the client ID alias is used as the value of the "aud"
claim in a response from the userinfo endpoint.
Note that if a client ID alias is not assigned to the client when Authlete's /api/auth/token/create
API is called, this property has no effect (it is always regarded as false
).
|
getset |
Extra properties to be associated with a newly created access token. Note that the "properties"
request parameter is accepted only when Content-Type
of the request is "application/json"
, so don't use "application/x-www-form-urlencoded"
if you want to use this "properties"
request parameter.
|
getset |
The value of the new refresh token. This request parameter is optional.
The /api/auth/token/create
API generates a refresh token as necessary. Therefore, callers of the API do not have to specify values of newly created refresh tokens. However, in some cases, for example, if you want to migrate existing refresh tokens from an old system to Authlete, you may want to specify values of refresh tokens. In such a case, you can specify the value of a newly created refresh token by passing a non-null value as the value of the "refreshToken"
request parameter. The implementation of the /api/auth/token/create
API uses the value of the "refreshToken"
request parameter instead of generating a new value when the request parameter holds a non-null value.
Note that if the hash value of the specified refresh token already exists in Authlete's database, the refresh token cannot be inserted and the /api/auth/token/create
API will report an error.
|
getset |
The duration of a newly created refresh token in seconds. If the value is 0
, the duration is determined according to the settings of the service. This request parameter is optional.
A refresh token is not created (1) if the service is configured not to support GrantType.REFRESH_TOKEN
, or (2) if the specified grant type is either GrantType.IMPLICIT
or GrantType.CLIENT_CREDENTIALS
.
|
getset |
The scopes which will be associated with a newly created access token. Scopes that are not supported by the service cannot be specified and requesting them will cause an error. This request parameter is optional.
|
getset |
The subject (= unique identifier) of the user who will be associated with a newly created access token. This request parameter is required unless the grant type is GrantType.CLIENT_CREDENTIALS
. The value must consist of only ASCII characters and its length must not exceed 100.