Salesforce Developer Security Auth Oauth Tokens
// Salesforce - Developer - Security - OAuth - Types of Tokens: The different OAuth flows use different types of tokens defined by OAuth 2.0. Here is some basic information about these token types: 1. Authorization code - An authorization code is a short-lived token created by the authorization server and passed to the client application via the browser. The client application sends the authorization code to the authorization server to obtain an access token and, optionally, a refresh token. 2. Access token - The access token is used by the client to make authenticated requests on behalf of the end user. It has a longer lifetime than the authorization code, typically on the order of minutes or hours. When the access token expires, attempts to use it will fail, and a new access token must be obtained. 3. Refresh token - The refresh token may have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked by the end-user. The client application can store the refresh token, using it to periodically obtain fresh access tokens, but should be careful to protect it against unauthorized access, since, like a password, it can be repeatedly used to gain access to the resource server. 4. ID token - OpenID Connect defines the ID token, a signed data structure that contains authenticated user attributes including a unique identifier for the end-user, the time at which the token was issued, and an identifier for the client application that requested the token. The ID token is encoded as a JSON Web Token (JWT).
page revision: 0, last edited: 01 Jan 2017 23:07