Registration utilizes several OAuth access tokens and codes through both the social and traditional authentication process. Following is an overview of each type of token and the context in which each is used.
They allow for scoped, time-limited access to the Identity Cloud user profile database through the Registration UI. They may also be used as authentication for some /entity endpoints instead of a client ID and secret.
Access tokens are bearer tokens and are only valid for one hour by default. The lifetime can be configured to a shorter time by Akamai Professional Services, but an expiration of longer than one hour is not allowed for security reasons. Access tokens may be refreshed using the oauth/token endpoint or provisioned manually using the access/getAccessToken endpoint.
After a user has been successfully authenticated, that user is not immediately given an access token. Instead, the user is issued an authorization code that must be exchanged for an access token (using the oauth/token endpoint) for access to the user profile database. There are three ways that a user can obtain an authorization code:
- By initiating the Forgot Password? flow. Authorization codes are generated in the reset password workflow and are appended to the base URL set in the the password_recover_url client setting. The lifetime of the code in the reset password link is configurable in the recover_code_lifetime client setting.
- By being manually provisioned through the access/getAuthorizationCode endpoint.
Each authorization code is valid for one-time use only.
IDP tokens are provisioned by an IDP (Identity Provider) after a successful social authentication. They allow for scoped, time-limited access to user data through the IDP’s APIs. IDP tokens must be converted into a Social Login token with the signin/oauth endpoint for use with Registration.
Refresh tokens are only returned in the response of a successful oauth/token call when exchanging an authorization code or a previous refresh token for an access token. This allows for infinitely refreshable access tokens.
Each refresh token does not have an expiration time and is valid for one-time use only.
Social Login Tokens
Social Login tokens are provisioned after a successful authentication through Social Login. They allow for scoped, one-time access to user data through the auth_info endpoint.
These tokens are also used to complete the social authentication process in API-based Registration implementations with the oauth/auth_native, oauth/register_native , and oauth/auth_native_traditional endpoints. For normal login or registration, a Social Login token will be passed into the token parameter, and for an account merge process a Social Login token will also be passed into the merge_token parameter.
Social Login tokens may be provisioned manually using the signin/oauth endpoint in exchange for an IDP token.
Verification codes are generated in the email verification workflow and appended to the base URL set in the the verify_email_url client setting. The lifetime of the code in the reset password link is configurable in the verification_code_lifetime client setting.
Each verification code is valid for one-time use only.