Social Login Tokens
It is the token generated each time a visitor performs a social login.
The token is returned on the socialid.events.onLoginSuccess event or sent as a parameter to the callback url configured on the Social Login application.
- Created: every time the user logs in.
- Validity: expires in 1 hour.
- It is used to authenticate the GET login/info API call.
It is an identifier generated for each visitors' active connection. It represents the Social Login session for the current visitor.
The Social Login widgets automatically identifies users logged in, given the connection_id saved on a cookie on the visitor's browser.
- Created: every time the user logs in or using an API call.
- Validity: expires according to "Session Lifetime" configuration defined in the Social Login application.
- In order to generate a new connection_id given a user id, use the POST login/apps/:app_id/sign_ins REST API.
- In order to validate a connection_id and retrieve the user profile associated with it, use the GET login/connections/:id REST API.
- Created: when the user is created.
- Updated: every time the user logs in or via API.
- Validity: never expires.
- The PUT login/users/:user_id/token API updates a user's token.
It is a token provided by OAuth2 APIs through the token endpoint. This token is used to access OAuth2 resources.
- Created: every time the user logs in using OAuth2 APIs.
- Validity: expires in 1 week.
- Token endpoints generate access tokens.
It is a token provided by OAuth2 APIs through the token endpoint. This token is used to retrieve a new access token after expiration.
- Created: every time an access token is generated.
- Validity: never expires, but it's revoked after its use.
- Token endpoints generate access tokens and its refresh tokens associated.
- POST_/oauth/token_refresh_token refreshes an access token, generating a new one given a refresh token.
It's a JWT token provided by OAuth2 APIs used in combination with OpenID Connect (OIDC) Protocol.
- Created: every time an access token for OIDC is generated using the response_type id_token in the Authorization request.
- Validity: expires according to "JWT Expiration" configuration defined in the Social Login application.
The REST APIs use the HTTP Basic protocol for authentication. See the Authentication documentation.
To minimize security risks, we show below a list of good practices. Developers using our APIs need to be aware that the indiscriminate use of connection_id and user_token identifiers may increase those risks.
- Use secure connections (HTTPS) on your website to avoid tokens to be intercepted by attackers on unprotected networks. See Man-in-the-middle attack.
- Avoid storing any tokens in cookies. If you must, use the "secure" attribute on the cookie.
- Use extra authentication (e.g. login/password authentication) in critical operations of your website (financial operations, credit card data management, etc).