Identity, Claims, & Tokens – An OpenID Connect Primer, Part 1 of 3

Identity, Claims, & Tokens – An OpenID Connect Primer, Part 1 of 3

This blog series is a primer on OIDC. In this first post, we’ll review some key concepts around OIDC and tokens, explained in human terms.

Dinesh Balaji

Very informative

Micah

Thanks!

Bertrand Florat

Thanks. Probably the clearest explanations about OIDC I got so far.

Micah

You’re welcome! Glad you dug it!

Naresh Ram

Informative and precise. Thanks

Micah

Thanks!

jérémie C.

It’s been a while since the writing bu still one of the best intro/recap I found so far too. Thanks !

swagat kulkarni

Hi Micah,

Thanks for the series here. It is extremely helpful.
I have a basic question here.

When I call the auth endpoint with for an id_token, it returns the information about the end user or the client app?
I am assuming that is the end user and if so, where is the all the user info such as, email, address stored?

Micah

What you get back when the response includes an id token is a JWT (JSON Web Token). Encoded in the JWT payload are claims that include information about the authenticated user (like email). The scopes requested drive what will be included in the JWT. If additional user information is needed, it can be obtained by hitting the standard /userinfo endpoint (which requires a valid access token)

Learning

Can you guys help me to get the answer of below queries ?

1) Does refresh token has a expiry time as well ? If yes , what is it ?
2) If a refresh token is expired and request is made using it to get new access token and Id token. Then the returned access token will also be invalid. Is this statement correct ?

Micah

1) Yes, the refresh token will have it’s own expiration. Each service provider has different settings for this. With Okta, you can have a refresh token with an unlimited expiration, BUT it will automatically be revoked if it isn’t used within a certain interval, which is also configurable. You can also set it to expire in an interval - minutes, hours, days, etc.

2) If you make the refresh request with an expired refresh token, you will get an error response. You won’t get a token response at all.

Learning

Thanks for your prompt response Micah. These were helpful. However, we encountered a scenario where after user was ideal for 5 hrs 19 mins , and when he made next hit with expired access_token , we used refresh token to get new access_token . This access_token returned by using refresh token was not valid access_token. Introspect calls were made on these access tokens and they gave token status as invalid . As per our assumption , these access token might be invalid because refresh token might have expired during this time window. But as per your answer it looks like we should have received error/exception in response . We would like to recreate the scenario to debug this more and test refresh token exact behavior after its expire.

1)Can you please let me know how to set refresh token expiry for any XYZ application?

Thanks in Advance.

Micah

In the Okta admin console, you can go into the authorization server list from the menu: API → Authorization Servers. Select your authorization server. Select the Access Polcites tab. Edit the rule. You can set the expiration for the refresh token there.

https://uploads.disquscdn.c…

Learning

i can see only default rule over there. if i need to know for particular application , how can i check this ?

appreciate your quick response.

Micah

There’s always a default policy and rule that’s general - it encompasses all applications. You can add a new policy, bind it to a particular application and then add one or more rules which determine if tokens will be granted.

Learning

I want to create an Okta (OIDC app) self service portal for our users. for SAML application our engineer has already created. i want to create a OIDC using the same portal/. Could you please help/guide me, how can i do that ?

Albert Chen

Hi,

Good news! We are currently in a beta release for publishing OIDC apps in the OIN (Okta Integration Network). Please email david.nissen@okta.com, our Director of Product Management, who is coordinating this beta. He can walk you through the integration steps.

Steve Gore

It really is great. Thankyou!

Micah

:+1: