Skip to main content

Token Issuance

Identity Broker issues JSON Web Tokens (JWTs) to relying party applications upon successful authentication.

Token Types

  • ID Token: Contains user identity information (sub, name, email). Used by the client to identify the user.
  • Access Token: Contains scopes and permissions. Used to access protected APIs (including the UserInfo endpoint).
  • Refresh Token: Long-lived token used to obtain new Access Tokens without user interaction.

Configuration

Token lifetimes and signing algorithms are configured per Application (RP Client).

  • Signing Keys: Identity Broker rotates RSA keys automatically. Public keys are available at the JWKS endpoint.
  • Custom Claims: Additional data can be injected into tokens via Extended Attributes or Scripted Mappers.