Next: , Previous: , Up: The Json Web Token   [Contents][Index]


8.6 Access tokens

The (webid-oidc access-token) module contains a definition for the OIDC access token.

Class: <access-token> (<time-bound-token> <oidc-token>) webid aud client-id cnf/jkt

The access token is issued by an identity provider for a client, and is intended to be used by the resource servers. It indicates that the agent possessing a key hashed to cnf/jkt (a string) is identified by client-id (an URI) and is authorized to act on behalf of the user identified by webid (an URI). For compatibility, aud should be set to the literal string "solid". The agent demonstrates that it owns this key by issuing a DPoP proof alongside the access token.

To construct an access token, you would either need #:jwt-header and #:jwt-payload, as for any token, or a combination of parameters:

Since the same access token is presented on each request, it is not single-use.

Generic: webid token

Return the user identifier in token, as an URI.

Generic: client-id token

Return the client identifier in token, as an URI.

Generic: cnf/jkt token

Return the hash of the client key, as a string.

Generic: aud token

Return "solid".

Exception type: &invalid-access-token

This exception is raised when the access token is invalid.

function: make-invalid-access-token

Construct an exception of type &invalid-access-token.

function: invalid-access-token? exception

Check whether exception was raised because of an invalid access token.


Next: , Previous: , Up: The Json Web Token   [Contents][Index]