Class RefreshToken
- java.lang.Object
-
- io.jans.as.server.model.common.AbstractToken
-
- io.jans.as.server.model.common.RefreshToken
-
- All Implemented Interfaces:
io.jans.orm.model.base.Deletable
,java.io.Serializable
public class RefreshToken extends AbstractToken
Authorization servers MAY issue refresh tokens to web application clients and native application clients.
Refresh tokens MUST be kept confidential in transit and storage, and shared only among the authorization server and the client to whom the refresh tokens were issued.
The authorization server MUST maintain the binding between a refresh token and the client to whom it was issued. The authorization server MUST verify the binding between the refresh token and client identity whenever the client identity can be authenticated. When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse.
For example, the authorization server could employ refresh token rotation in which a new refresh token is issued with every access token refresh response. The previous refresh token is invalidated but retained by the authorization server. If a refresh token is compromised and subsequently used by both the attacker and the legitimate client, one of them will present an invalidated refresh token which will inform the authorization server of the breach.
The authorization server MUST ensure that refresh tokens cannot be generated, modified, or guessed to produce valid refresh tokens by unauthorized parties.
- Author:
- Javier Rojas Date: 09.29.2011
- See Also:
- Serialized Form
-
-
Constructor Summary
Constructors Constructor Description RefreshToken(int lifeTime)
Constructs a refresh token.RefreshToken(java.lang.String code, java.util.Date creationDate, java.util.Date expirationDate)
-
Method Summary
-
Methods inherited from class io.jans.as.server.model.common.AbstractToken
checkExpired, checkExpired, getCode, getCreationDate, getExpirationDate, getExpiresIn, getHash, getSessionDn, getTtl, getX5ts256, isDeletable, isExpired, isRevoked, isValid, resetTtlFromExpirationDate, setCode, setCreationDate, setDeletable, setExpirationDate, setExpired, setRevoked, setSessionDn, setX5ts256
-
-
-
-
Constructor Detail
-
RefreshToken
public RefreshToken(int lifeTime)
Constructs a refresh token.
When created, a token is valid for a given lifetime, and after this period of time, it will be marked as expired automatically by a background process.
When required, the token can be marked as revoked.
- Parameters:
lifeTime
- The life time of the token.
-
RefreshToken
public RefreshToken(java.lang.String code, java.util.Date creationDate, java.util.Date expirationDate)
-
-