What is a Oauth Access Token?

About

This page talks about access token in the context of the OAuth specification.

An access token is a token representing an access authorization created during:

• a implicit grant flow
• or a authorization code flow

It represents an access authorization to protected resources issued to the client rather than using the resource owner's credentials directly.

Example

The access token is generally a JSON file with the access token value and security properties such as scope, token type, expiration, …

{
   "access_token":"yhEvm8U6uG0gPmoUDuLn3bENGIMceiFz",
   "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZ.... JWT",
   "scope":"openid profile email",
   "expires_in":86400,
   "token_type":"Bearer"
}

Authorization

The client uses the access token to access the protected resources owned by a resource owner hosted by a resource server.

When a client passes an access token to a server managing a resource, that server use the token to decide whether the client is authorized or not.

Access tokens are used to make API requests on behalf of a user. The access token represents the authorization of a specific application to access specific parts of a user’s data.

Pros and Cons

The access token provides an abstraction layer, replacing different authorization constructs (e.g., username and password) with a single token understood by the resource server.

This abstraction enables:

• issuing access tokens more restrictive than the authorization grant used to obtain them,
• removing the resource server's need to understand a wide range of authentication methods.

The access token content is usually opaque to the client.

Structure

A token can be:

• structured such as JWT
• or unstructured such as a nonce

Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements.

An access token is a string representing an authorization issued to the client. The string is usually opaque to the client.

The token may be:

• an identifier used to retrieve the authorization attributes
• or a string that consists of authorization attributes and a signature (to verify that the attributes are genuine).

Attribute

The properties denotes:

• a specific scope,
• durations of access (lifetime), (short-live or long-lived)
• and other access attributes.

The token properties are granted by the resource owner, and enforced by the resource server and authorization server.

Access token may have a shorter lifetime and fewer permissions than authorized by the resource owner.

Type

Access token attributes and the methods used to access protected resources are beyond the scope of the Oauth specification and are defined by companion specifications such as Bearer Token.

Management

Creation

Access tokens are issued to third-party clients with the approval of the resource owner by the authorization server via the following endpoints:

• the authorization endpoint during a implicit grant flow
• the … during a authorization code flow

The implementation of access token are beyond the scope of the Oauth specification and are defined by companion specifications such as the Bearer Token.

Expiration

When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again.

Storage

The only parties that should ever see the access token are:

• the application itself,
• the authorization server,
• and resource server.

The application should ensure the storage of the access token is not accessible to other applications on the same device.

See access token storage

Documentation / Reference

• https://tools.ietf.org/html/rfc6749#section-1.4