-
Notifications
You must be signed in to change notification settings - Fork 2
Token Type Reference
- ⏬ Getting Started
- ⏬ Deploy and Configure the Login Service
- ⏬ Chart Configuration
- ⏬ Client Registration
- ⏬ External Identity Providers
- ⏬ Integration Guide
▶️ Token Type Reference (this page)
The Login Service contains both an OIDC Compliant Provider and a UMA Compliant Authorization Server. Both standards build on top of the OAuth2.0 notion of Access Tokens. This section serves as a summary of all the potential Token Types and Formats made available to developers by the Login Service.
There are mainly two Token Formats that the Login Service handle and their usage depends heavily on the security constraints that govern the Platform components sharing them.
- Bearer Tokens: These tokens are unique strings of characters that need to be redeemed in order to validate or verify their context.
- JSON Web Tokens (JWT): These tokens are JSON documents signed by the Login Service that contain claims related to the context of a procedure.
The JWT definition includes a set of mandatory claims that can be consulted in the corresponding IETF Standard.
The different token types made available by the Login Service are defined by both OIDC and UMA.
- Access Token: A nominal OAuth2.0 scope-based token
- ID Token: An OIDC issued token that contains information related to a successful authentication attempt.
- PAT (Protection API Token): A UMA-based token used by Resource Servers (EOEPCA's PEP) to manage their resources
- RPT (Requesting Party Token): A UMA-based token used by Client Applications to request access to resources.
The following table represents the usage of Login Service tokens by EOEPCA components.
| Service | Token Type | Format | Origin | Usage | Example |
|---|---|---|---|---|---|
| All | PAT | Bearer | Login Service | Protection API Token | PEP Calls to Login Service Endpoints |
| Proxy (PEP) | RPT (Requesting Party Token) | JWT / Bearer | Login Service | UMA Protection(policy based) | (1) Client App calls to PEP-protected Endpoints (2) Building Block calls to SCIM Endpoint (PDP, User Profile) (3) Calls to Resource API (PEP) (4) Calls to Policy API (PDP) |
| Resource API (PEP) | Access Token | Bearer | Login Service | OAuth2.0 (scope based authorization) | Calls to Resource API (PEP) Calls to Policy API (PDP) |
| Resource API (PEP) | Identity Token (id_token) | JWT | Login Service | OIDC Authentication | Propagation of End-User Claims |