IDaaS CIAM (Customer Identity and Access Management) uses tokens to authenticate requests and authorize access. All IDaaS business interfaces require a valid access_token. Requests without one return an error.
IDaaS issues three categories of tokens:
| Category | Tokens | How to obtain |
|---|---|---|
| Application-level | access_token | Your app, using the client_credentials grant |
| User-level | access_token, id_token, refresh_token | Returned together after a user logs in |
| Management-level | — | Not yet available |
Application-level access_token
Use the application-level access_token to call IDaaS login-related interfaces, including registration, login, two-factor authentication (2FA), and password recovery.
Get this token by calling the OAuth 2.0 client_credentials grant with your application's client_id and client_secret.
Validity: 2 hours. Refreshing or changing the validity period is not currently supported. Request a new token after the current one expires.
User-level tokens
After a user logs in, IDaaS returns three tokens together: access_token, id_token, and refresh_token. Each serves a distinct purpose.
access_token
Use the user-level access_token to call user self-service interfaces, such as mobile number modification and account deregistration.
Validity: 2 hours by default. You can configure this when creating the application or change it later.
id_token
The id_token confirms the identity of the logged-in user. It is returned only when response_type is set to token id_token during login.
The id_token uses the JSON Web Token (JWT) format. Preview its contents at https://jwt.io/.
The id_token also contains basic information about the currently logged-in user, which you can access directly without making additional interface requests.
id_token payload fields
The following is an example payload:
{
"sub": "61a76111efc5d7d37fe62421e475d0b1djM9R1Hkhkn",
"gtp": "password",
"cookie": "",
"azp": "",
"scope": "61a76111efc5d7d37fe62421e475d0b1djM9R1Hkhkn null 17301078373",
"loginName": "michael_test",
"customerId": "8674692815791024010",
"exp": 1632906904,
"jti": "eWEMG3hVwxth6jGRyhuADA",
"iat": 1632899705,
"nbf": 1632899645
}| Field | Full name | Description |
|---|---|---|
sub | Subject | Unique identifier of the authenticated user |
gtp | Grant type parameter | Login method used (for example, password) |
cookie | Cookie | Session cookie value associated with the login |
azp | Authorized party | Client ID of the party the token was issued to |
scope | Scope | Space-separated string containing the user's access scope |
loginName | Login name | The username used to log in |
customerId | Customer ID | Internal identifier of the customer account |
exp | Expiration time | Unix timestamp indicating when the token expires |
jti | JWT ID | Unique identifier for this token instance, used to prevent token replay |
iat | Issued at | Unix timestamp indicating when the token was issued |
nbf | Not before | Unix timestamp before which the token must not be accepted |
In a future release, CIAM will support using the id_token for cross-domain single sign-on (SSO).
refresh_token
Use the refresh_token to get a new access_token without requiring the user to log in again. Refreshing the access_token does not affect the id_token.
Validity: 30 days by default.
During the refresh_token's validity period, call the token refresh interface to get a new access_token. When both the access_token and refresh_token expire, the user must log in again.
Token validity summary
| Token | Default validity | Configurable |
|---|---|---|
Application-level access_token | 2 hours | No |
User-level access_token | 2 hours | Yes |
id_token | — | — |
refresh_token | 30 days | — |