Quasr
  • Introduction
    • Welcome to Quasr
    • Concepts
      • Flexible Authentication
      • User-Centric Privacy
      • Modern Development
    • Terminology
    • FAQs
  • Getting Started
    • Sign up with Quasr
    • Setup your tenant
      • Factor Configuration
      • Enrolling additional factors
      • Test with the Sample Client
      • Understanding Scopes & Scores
      • Setting up an API Client (M2M)
    • Connect your app
      • Hosted Login UI
      • Custom Login UI
      • Embedded Login UI
  • Account Administration
    • Introduction
    • Account & Billing
      • Metrics
    • Tenants
    • Usage & Statistics
    • Security
  • Tenant Administration
    • Introduction
    • Dashboard
    • Tenant Settings
    • Your Security
    • Accounts
      • Tenant Admins
    • Factors
      • Factors and Scoring
      • Username (ID)
      • Federation (OAuth2 / OIDC)
        • Apple
        • Facebook
        • GitHub
        • Google
        • LinkedIn
        • Slack
      • Time-based One-time Password (TOTP)
      • One-Time Password (OTP)
      • Password
      • Secret
    • Controls
      • Configuration
      • Permissions
      • Consents
      • Rules
    • Attributes
      • Capturing Claims
      • Sourcing Claims
      • Viewing Claims
      • Searching Claims / Users
      • Sharing Claims
    • Extensions
      • Synchronous
      • Asynchronous
    • Tokens
      • Session Token (OAuth 2.0)
      • Access Token (OAuth 2.0)
      • Refresh Token (OAuth 2.0)
      • ID Token (OIDC 1.0)
      • Consent Token
      • Authorization Code (OAuth 2.0)
    • Hosted Login Page
    • APIs
      • Authentication API
      • Management API (GraphQL)
  • Legal
    • Terms of Service
    • Acceptable Use Policy
    • DPA & Subprocessors
  • More Info
    • Standards
    • Security
      • Vulnerability Disclosure
      • Wall of Recognition
    • Support
    • Status
Powered by GitBook
On this page
  1. Tenant Administration
  2. Tokens

Session Token (OAuth 2.0)

The session token is generated by the Factors API when users authenticate or sign up and contains the account ID (sub claim), score for the user (scr claim) as well as which factors the user has successfully passed (fct claim). The session token can and must be used as an authorization token by the login UI in order to advance the session. To do so the session token must be presented as a bearer token in the Authorization header (so Bearer JWT).

Key properties you can configure for the session token are:

  • session lifetime (exp)

An example session token:

{
  "scope": "https://api.quasr.io/scopes/login", // access
  "https://api.quasr.io/claims/typ": "oauth2:access", // type
  "https://api.quasr.io/claims/use": 0, // unlimited use
  "https://api.quasr.io/claims/scr": 1, // score
  "https://api.quasr.io/claims/fct": [ "e3d99adf-1d99-47fd-8db5-20b36318a61f" ], // passed factors
  "https://api.quasr.io/claims/ext": true, // external account
  "sub": "ffd99cbb-f322-4dcf-8c64-48cc26c55c63", // account ID
  "jti": "10e86729-f117-47c0-9ccb-3f32d39b5f51", // token ID
  "aud": "https://api.quasr.io",
  "iss": "https://b62a482d-7365-4ae9-85a5-1453b3b0d5b9.api.quasr.io", // tenant ID
  "iat": 1642352431, // issued at
  "nbf": 1642352431, // not before
  "exp": 1642356031 // expires at
}

The session token should be kept securely by the login UI (or other UI) and never leave its environment. For example it should not be exposed in redirects.

PreviousTokensNextAccess Token (OAuth 2.0)

Last updated 1 year ago