Reputation: 821
Single use access token?
To my understanding, it can create a short live access token. But does it have a single use access token that is similar to what the Authorization code is?
What is the best approach in doing it? I have thought about using refresh token, but that is still short live, not single(one-time use).
OR can it do it this way:
App1 needs to get an access token from IS4 to call App2, but that token can be used once only. Can the IS4 keep something in the state and App2 needs to call the introspection endpoint of IS4 (rather than local validation of the JWT) and the IS4 checks its state and allow it once?
Thanks in advance.
Upvotes: 0
Views: 2572
Answers (1)
Reputation: 18482
You can configure IdentityServer to put a unique value (the jti claim) into an access token. That's a client setting.
This can be used to maintain a replay cache at the API to reject token that are used more than once. The token lifetime helps to trim the cache.
Upvotes: 2
Related Questions
- Why not just use a long TTL reference token in replace of access and refresh JWT tokens?
- IdentityServer4 Access Token Lifetime
- can we use ID Token as an Access Token?
- Identity server 4 access token with custom lifetime
- Using access tokens to make API requests
- Auth server for validate IdentityServer4 access tokens
- IdentityServer4 Multiple API access, single token
- Using access tokens
- How to use access token in identityserver4?
- Issue an access token for an IdentityServer4 instance