Token Types
In a KOBIL Shift Lite or KOBIL Digitanium+ environment we have 4 types of token:
Token | Usage | MC storage | IDP parameter |
---|---|---|---|
Access Token | Used for authentication against KOBIL services. It has the shortest lifetime, e.g. 2 minutes. After expiration MC gets a new token by using the Refresh Token. | In Memory | Access Token Lifespan, ... |
Refresh Token | Used on runtime to update Access Token when expired. It has a longer lifetime then Access Token, e.g. 30 Minutes. After expiration MC gets new token by using the Offline Token. | In Memory | SSO Session Max, ... |
Offline Token | Used for getting a set of new token, if the app was not used for a longer time and the other token are expired. Depending on the Authentication Mode the user can just continue using the app or has to do a biometric authentication before using the app. The Offline Token has the longest lifetime, e.g. 90 days. After expiration user has to do a online login to IDP with his online credentials. Offline Token are a special kind of Refresh Token with scope offline_access. | Persistent | Offline Session Idle, ... |
JSON Web Token | Used for getting a set of new token. A valid Signed JWT has to be passed when requesting the access token. On successful pre-checks, it gets the public key from the CA service and verifies the signature of the JWT. Response with access-token, refresh-token, response_data (if present) and other details will be sent on successful verification with the public key. | Persistent | Offline Session Idle, ... |
KOBIL Digitanium+ either uses Refresh Token, Offline Token or JSON Web Token.
It is important that configured lifetime of the token are: Access Token < Refresh Token < Offline Token.
It is allways possible that the Security Server rejects the update of your tokens, e.g. when the change pin flow disables all of users token for all devices on server side. In this case you have to do an online login.
Deleting Tokens
You can delete tokens stored by the SDK by using the ClearIamTokenCacheEvent as described in the Logout section for KOBIL Shift Lite and KOBIL Digitanium+.