Hi Team,
I wanted to know how many types of token’s(access Token,Id Token,State Token etc), are there in Okta and what is their validity?
Not sure I understand the context for this question, but will try to answer as best I can:
- For OIDC applications, there are Access, ID, and Refresh Tokens that can be issued, depending on the OIDC flow used and the scopes requested. Their lifetimes can vary based on whether or not you use a custom authorization server (which allows you to configure the lifetimes for the tokens via Access Rules or Token Inline Hooks). More details about their lifetimes found in our docs: OpenID Connect & OAuth 2.0 API | Okta Developer
- For OAuth applications (a M2M Service app), there is only an Access Token issued. Same rules about its lifetime being configured via the custom authorization server.
- During a user login, there are State Tokens (used during the login transaction) the lifetime of which varies, one-time Session Tokens (returned after primary authentication is completed) which last 15 minutes, and Device Tokens (used for behavior detection) which do not have lifetimes and are more like IDs
- During password recovery, there are one-time Recovery Tokens, the lifetime of which is configured on the Admin Console
- During user activation, there is a one-time Activation Token, whose lifetime is also configured in the Admin Console.
- API Tokens (used to access Okta API endpoints) have a 30 day idle lifetime and this lifetime will be refreshed as long as the token continues to be used
1 Like
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.