OAuth and OpenID Connect


Updating issued token(s)

Technical information on different methods provided by Authlete for updating issued token(s) including scopes expiration time and other properties.

Token duration per scope

Setting token duration individually per scope in Authlete 2.0 for more granular control and customization.

Changing token duration

Explanation on how changing token duration settings in Authlete affects access tokens and refresh tokens.

Token revocation policy

Technical Information about how Authlete handles token revocation requests and the corresponding invalidation of access tokens and refresh tokens.

Access Tokens

Using JWT-based access tokens

Guide on enabling the feature in Authlete to issue JWT-formatted access tokens and specifying additional claims available in Authlete 2.1 and later.

Refresh Tokens

How to enable issuing of a refresh token

Configuring Authlete service and clients to enable issuing a refresh token including adding REFRESH_TOKEN to Supported Grant Types and Grant Types settings in both Service Owner and Developer Consoles.

ID Tokens

Proof-of-Possession (PoP) Tokens

Using DPoP

Technical guide on implementing DPoP with Authlete APIs for supporting OAuth 2.0 Proof-of-Possession.


Scope attributes

This article provides information on scope attributes and how to create them available since Authlete 2.0.

Client Management

Using Client ID Alias

Technical Information about using Client ID Alias feature in Authlete for seamless migration of clients and resource servers to Authlete-based authorization server.

Client Attributes

Configuring and utilizing client attributes in OAuth 2.0 for defining client affiliations roles and access controls.

Authorization Requests

Using Request Objects

Instructions on configuring Authlete to support authorization requests with request objects for enhanced security.

Pushed Authorization Requests (PAR)

Overview of the technical support for Pushed Authorization Requests (PAR) in OAuth 2.0 framework with a focus on implementing PAR EP in an authorization server and configuring PAR settings in Authlete.

Rich Authorization Requests (RAR)

Overview and implementation details of OAuth 2.0 Rich Authorization Requests (RAR) for fine-grained permission representation and usage in Authlete.

JWT Secured Authorization Requests (JAR)

Technical information about using JWT Secured Authorization Requests (JAR) in OAuth 2 deployments for increased security and validation of authorization requests.

Resources Indicator

Technical information about the Resource Identifier specification in OAuth 2 framework and its support by Authlete.

Error Handling

Generating error response using fail API

Generating OAuth 2.0 compliant error responses using Authlete's fail APIs to support authorization server in responding to clients with standard error messages.

Client Authentication

Configuring client authentication

Basics of client authentication configuration in Authlete and how client authentication works in the context of processing token requests.

Client authentication using private_key_jwt method

Technical information on client authentication using the private_key_jwt method in OAuth 2.0 with an overview of the method setup instructions with Authlete and requirements for both the client and the authorization server side.

Strict checking on client authentication parameters

Strict checking on client authentication parameters in Authlete version 2.0 requires specific configurations and values in token requests with differences from the previous version to note during migration.


Use cases for two introspection APIs

Various use cases for Authlete's two introspection APIs including the /auth/introspection and /auth/introspection/standard APIs are discussed in this article.

Userinfo Endpoint

Access token verification in Userinfo API

Technical information on how Authlete's Userinfo API internally verifies access tokens eliminating the need for the authorization server to make a separate request to Authlete's introspection API.


Enabling JARM

Technical guide on enabling JARM a response mode for encoding authorization responses to JWTs for secure authorization responses.

Device Flow (RFC 8628)

Enabling “device flow”

Guide on enabling the device flow for API clients on devices without web browsers using Authlete's authorization server component architecture.

Grant Type