5.1 Tokens used in ZTrust

Tokens are the foundation of secure authentication in ZTrust.

ZTrust issues different types of tokens as part of the OpenID Connect (OIDC) flow. These tokens carry identity, authentication, and authorization data that applications and APIs rely on to enforce secure access. Each token serves a specific purpose:

Access Token

• Purpose: Grants access to protected resources (APIs).

• Format: Typically a JWT (JSON Web Token).

• Audience: Meant for resource servers (APIs).

• Lifespan: Short-lived (default: 5 minutes in ZTrust).

• Content:

• Claims about the user (username, roles, etc.)

• Client info

• Token expiry time

• Scopes granted (like openid, email, etc.)

Usage: Sent in the Authorization header of API requests: Authorization: Bearer <access_token>

It is used to authorize access to backend services.

ID Token

• Purpose: Contains identity information about the user.

• Format: JWT

• Audience: Intended for the client (application).

• Lifespan: Same as access token (default: 5 minutes).

• Content:

• User profile information (name, email, preferred username, etc.)

• Issuer (iss), audience (aud)

• exp, iat, auth_time

• Usage: Mainly used for authentication, especially in OpenID Connect login flows.

It is used by the client app to verify the user's identity.

Refresh Token

• Purpose: Used to obtain a new access token (and optionally a new ID token) without requiring the user to log in again.

• Audience: Meant for the authorization server (ZTrust) only.

• Lifespan: Long-lived (default: 30 minutes in ZTrust, or configurable).

• Content:

• Reference to the original session

• Scopes

• Token expiry

Usage: Sent to ZTrust’s token endpoint like: POST /protocol/openid-connect/token

grant_type=refresh_token

refresh_token=<refresh_token>

It helps maintain sessions without user interaction.