Feature Description

ProAuth issues tokens after a successful login request. Tokens can be issued for users or services. The tokens can be heavily customized with a claim rule engine to perfectly match the needs of your application.

The following tokens can be issued by ProAuth:

  • id_token
    • Identity information about the user
    • Set of rules for validating an id_token: expiration and signature section
  • access_token
    • Used as bearer tokens (can access authorized resources without further identification)
    • Usually short lifespan (expiration)
  • refresh_token
    • Used to obtain new access tokens
    • Usually long-lived - allows for long-lived sessions that can be killed if necessary
    • Refresh tokens can be revoked by admins


The goal of authentication and authorization is to protect resources (i.e. an API). A token used to access a resource needs to be requested for this resource.

Different Scenarios

  • Use a single access token with a single generic or global audience (i.e. all APIs in a single domain)
  • Use a single access token with multiple audiences (i.e. one or more specific audiences fore each API)
  • Use multiple access tokens, each with its own audience for each API

Resource and Audience

  • A system consists of multiple resources which need to be protected
  • Within a token request (authentication flows), the client requests the token be valid for one or many resources
  • The identity provider verifies the request and creates tokens which are valid for the granted resources.
  • The token contains an audience (aud) claim which indicates for what resources this token was issued for.

Claims and Scopes

Claims are assertions that one subject makes about itself or another subject.

  • Information about subject like first name, last name, group membership
  • Information about token like issuer and intended audience

Scopes are groups of claims

  • Logical grouping of claims
  • Consent to a scope will result in getting an ID Token containing the corresponding claims


  • Claims are used to request a certain set of claims / access request
  • The access token contains the requested scopes (and claims) whereas the id token contains the claims

OpenID Connect Scopes:

Scope Claims
email email, email_verified
address address
profile name, family_name, given_name, middle_name,
nickname, preferred_username, profile, picture, updated_at,
website, gender, birthdate, zoneinfo, locale
phone phone_number, phone_number_verified
openid sub, auth_time, acr

Key Features

  • Token Types
  • Resources
  • Scopes


Did we raise your attention or do you have any questions? Contact us today at:

  • +41 44 508 37 00
  • proauth@4tecture.ch