import { TokenUpdateRequest } from "https://deno.land/x/authlete_deno@v1.2.10/mod.ts";
Request to Authlete /auth/token/update
API.
Properties
The flag which indicates whether /auth/token/update
API attempts
to update the expiration date of the access token when the scopes
linked to the access token are changed by this request. This request
parameter is optional and its default value is false
. If this
request parameter is set to true
and all of the following conditions
are satisfied, the API performs an update on the expiration date
of the access token even if the accessTokenExpiresAt
request
parameter is not explicitly specified in the request.
- The
accessTokenExpiresAt
request parameter is not included in the request or its value is0
(or negative). - The scopes linked to the access token are changed by the
scopes
request parameter in the request. - Any of the new scopes to be linked to the access token has one or more attributes specifying access token duration.
When multiple access token duration values are found in the attributes of the specified scopes, the smallest value among them is used.
For more details, see the following examples.
Example 1.
Let's say we send the following request to /auth/token/update
API
{
"accessToken" : "JDGiiM9PuWT63FIwGjG9eYlGi-aZMq6CQ2IB475JUxs",
"scopes" : ["read_profile"]
}
and "read_profile"
has the following attributes.
{
"key" : "access_token.duration",
"value" : "10000"
}
In this case, the API evaluates "10000"
as a new value of the
duration of the access token (in seconds) and updates the expiration
date of the access token using the duration.
Example 2.
Let's say we send the following request to /auth/token/update
API.
{
"accessToken" : "JDGiiM9PuWT63FIwGjG9eYlGi-aZMq6CQ2IB475JUxs",
"scopes" : ["read_profile", "write_profile"]
}
and "read_profile"
has the following attributes
{
"key" : "access_token.duration",
"value" : "10000"
}
and "write_profile"
has the following attributes.
{
"key" : "access_token.duration",
"value" : "5000"
}
In this case, the API evaluates "10000"
and "5000"
as candidate
values for new duration of the access token (in seconds) and chooses
the smallest value of them (i.e. "5000" is adopted) and updates
the expiration date of the access token using the duration.
The hash of the access token value. Used when the hash of the token is known (perhaps from lookup) but the value of the token itself is not.
The value of the accessToken
parameter takes precedence.
Whether the access token expires or not. By default, all access
tokens expire after a period of time determined by their service.
If this request parameter is true
then the access token will
not automatically expire and must be revoked or deleted manually
at the service.
If this request parameter is true
, the accessTokenExpiresAt
request parameter is ignored. If this request parameter is false
,
the accessTokenExpiresAt
request parameter is processed normally.
Whether to update the value of the access token in the data store.
If this parameter is set to true
then a new access token value
is generated by the server and returned in the response.
The authorization details. This represents the value of the
authorization_details
request parameter which is defined in
"OAuth 2.0 Rich Authorization Requests".
The thumbprint of the MTLS certificate bound to this token. If this field is set, a certificate with the corresponding value MUST be presented with the access token when it is used by a client.
The thumbprint of the public key used for DPoP presentation of
this token. If this field is set, a DPoP proof signed with the
corresponding private key MUST be presented with the access token
when it is used by a client. Additionally, the token's token_type
will be set to 'DPoP'
.
The flag which indicates whether the access token is for an external attachment.
For more details, see OpenID Connect for Identity Assurance 1.0, External Attachments.
A new set of properties assigned to the access token.
If null
is given, the property set associated with the access
token is not changed.