OAuth 2.0 / OIDC application attributes
Access token lifetime
Access token lifetime defines how long the access tokens issued by Identity Cloud are valid. You can define the token lifetime anywhere in the range of 1-1440 minutes (24 hours).
When an access token expires, your application can get a new one by executing the appropriate flow:
- Authorization Code for classic web applications. The user has to log in if there is no session on Identity Cloud.
- Authorization Code with PKCE for single-page applications and native applications. The user has to log in if there is no session on Identity Cloud.
- Client Credentials for server-to-server applications. No user interaction needed.
- Refresh Token for single-page applications, native applications and classic web applications. It requires a refresh token, but does not require user interaction.
Access token expired or revoked
Access tokens can be accepted by resource servers until they expire or are revoked.
Blocking a user in Identity Cloud does not affect the validity of access tokens.
We recommend setting a short lifetime, such as a few minutes, if you want to decrease the time a user can still access your services after being blocked.
Having short-lived access tokens is helpful in the case of a threat. You can block users, which prevents the refresh token flow from being used to retrieve a new access token. The harm that can be done is limited to the access token lifetime.
Allowed return URIs
When an application initiates authentication by redirecting to the Identity Cloud authorization endpoint, it has to send along a query parameter redirect_uri, which defines where to redirect the user after successful authentication.
This can be a classic URL or a custom scheme URI that triggers a mobile application. Identity Cloud checks if the value sent in the redirect_uri parameter is allowed.
You can define multiple Allowed return URIs, each one on a new line. The hostname is required, and you can optionally add the port. Both HTTP or HTTPS can be defined.
For example: https://your-company.com/callback
Return URI
The user is redirected to the Return URI after successfully authorizing your application. This can be a classic URL or a custom URL scheme that triggers a mobile application.
The hostname is required, and you can optionally add the port. You can use both HTTP or HTTPS.
For example: https://your-company.com/callback
See more under global settings section.
To learn more about return URLs, also see Allowed return URLs and Default return URL.
Authorization endpoint
The Authorization endpoint is provided by Identity Cloud. This endpoint can be used to request an authorization code by performing an end-user authentication. You can then exchange this code at the token endpoint for an access token.
Client ID
Client ID is the unique public identifier of your application. Identity Cloud generates the Client ID for you.
The Client ID has 16 characters, containing letters and numbers, according to "client_id" Syntax in The OAuth 2.0 Authorization Framework.
Client secret
The Client secret is used by applications with a server-side component. Client secrets increase security as they are only known by your application and the authorization server.
Identity Cloud generates a random Client secret for you.
The Client secret has 16 characters, containing letters and numbers, according to "client_secret" Syntax in The OAuth 2.0 Authorization Framework.
ID token lifetime
ID token lifetime defines how long the ID tokens issued by Identity Cloud are valid. The ID token lifetime needs to be in the range of 1-1440 minutes (24 hours). The ID token is returned when the scope openid is requested.
Identity Cloud issuer
The Identity Cloud issuer is included as an Issuer Claim (iss) in access tokens and ID tokens issued by Identity Cloud.
Add the Identity Cloud issuer to the configuration of your resource servers to validate issued tokens.
Identity Cloud signer certificate
Access tokens and ID tokens are signed using a private key. Identity Cloud signer certificate is an X.509 certificate required to validate the signature. Identity Cloud generates it for you.
Add the Identity Cloud signer certificate to the configuration of your resource server to validate issued tokens.
Metadata endpoint
The Metadata endpoint returns the OpenId Connect configuration in JSON format. The metadata includes OpenId/OAuth endpoints, supported scopes and claims, and other relevant details.
Refresh token lifetime
Refresh token lifetime defines how long refresh tokens are valid. To retrieve a new access token after this time, the user needs to log in again.
You can define how long your refresh token is valid. The value needs to be defined between 1 day to 365 days.
For more information, see Refresh token.
Token endpoint
The token endpoint is used by the client to obtain an access token, by presenting its authorization grant or refresh token.
The token endpoint is provided by Identity Cloud and is used with every authorization grant.
In the case of single-page applications. regular web applications and native applications if requested, an ID token or a refresh token is issued as well.
Token introspection endpoint
The Token introspection endpoint is provided by Identity Cloud, and can be called by a resource server to validate received tokens.
Token introspection endpoint is an attribute ofSPA