Token Lifecycle
Understanding the token lifecycle is critical for maintaining secure and reliable OAuth / SSO integrations with eCourtDate. This page covers token issuance, usage, validation, and revocation.
Token Request
Tokens are obtained through the Authorization Code exchange. After the user authenticates with the Identity Provider and the client receives an authorization code, that code is exchanged at the provider's token endpoint for tokens.
A successful token response includes:
| Token | Description |
|---|---|
| access_token | Used to access protected resources on behalf of the user |
| id_token | A JWT containing identity claims (e.g., sub, email, name, group memberships) |
PKCE (Proof Key for Code Exchange)
PKCE is recommended for all OAuth flows. PKCE adds an additional layer of security to the Authorization Code flow by preventing authorization code interception attacks.
With PKCE:
- The client generates a random
code_verifierand derives acode_challengefrom it. - The
code_challengeis sent with the authorization request. - The
code_verifieris sent with the token exchange request. - The authorization server verifies that the
code_verifiermatches the originalcode_challenge.
This ensures that only the client that initiated the authorization request can exchange the code for tokens.
Token Lifetime
Token lifetime is configurable at the Identity Provider level. Consult your IDP documentation for guidance on setting appropriate token expiration values. Consider the following when configuring token lifetime:
- Shorter lifetimes reduce the window of exposure if a token is compromised
- Longer lifetimes reduce the frequency of re-authentication for users
- Balance security requirements with user experience for your organization
Token Validation
Always validate tokens server-side. Token validation should include:
- Verifying the token signature against the IDP's published keys (typically via the JWKS endpoint)
- Checking the token expiration (
expclaim) - Confirming the audience (
audclaim) matches your application - Validating the issuer (
issclaim) matches your IDP
Token Revocation
Token revocation is supported and uses provider-specific End Session URLs. When a user signs out, the session should be terminated at both eCourtDate and the Identity Provider.
Provider-specific End Session URLs are documented on the Authorization Flows page. Refer to your provider's section for the correct endpoint.
| Provider | End Session URL |
|---|---|
| Azure AD | https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/logout |
| Google Workspace | https://accounts.google.com/o/oauth2/revoke |
| AWS Cognito | https://{domain}.auth.{region}.amazoncognito.com/logout |
| Okta | https://{your-domain}.okta.com/oauth2/v1/logout |