**Understanding Tokens and Login Sessions in IBM Cloud**
IBM Cloud relies on the OAuth 2.0 protocol for authentication and authorization. However, the platform has extended some functionalities to cater to its specific requirements. This article explores the usage, format, and management of access and refresh tokens, as well as login sessions within IBM Cloud.
**Access and Refresh Tokens**
In IBM Cloud, applications receive access tokens based on OAuth 2.0 standards, representing authenticated identities and permissions. Additionally, the access token also denotes the currently selected account. When invoking IBM Cloud services, this token is transmitted as part of the API call, allowing the service to make authorization decisions. Refresh tokens can also be obtained for specific use cases to obtain a new access token when the previous one expires. Access tokens can be obtained using an API key or when running on an IBM Cloud-managed compute platform.
Access tokens in IBM Cloud use the JSON Web Token format, with a standard format and signature created using the RS256 algorithm. IBM Cloud Services and applications can validate these tokens without significant latency, as they cache public signature keys announced by IBM Cloud IAM.
Login sessions are created when a user logs into the IBM Cloud Console or the IBM Cloud CLI. Users can manage and revoke their login sessions through the user interface, with various factors leading to the expiration of a session. IAM Administrators can configure parameters such as active sessions, sign out due to inactivity, and concurrent sessions.
**Tokens Without Login Sessions**
For service invocations in IBM Cloud that do not require login sessions or session revocation capabilities, access and refresh tokens may still be used. However, IBM Cloud IAM avoids generating refresh tokens as much as possible for API interactions, with one exception being the use of Service IDs for IBM Cloud CLI operations.
For access tokens created with an API key or based on a compute platform, refresh tokens are not generated, and no login session is created in the background. The lifetime of access tokens is typically 60 minutes, and the default validity of refresh tokens is 72 hours, configurable by IAM Administrators.
IBM Cloud IAM uses access tokens for client invocations of services and attempts to minimize the generation of refresh tokens, with login sessions providing control over session expiration and revocation for IBM Cloud CLI operations. IAM Administrators can tailor the IAM settings based on the specific needs of their account, influencing the expiration of access and refresh tokens.
For further information, you can refer to the IBM Cloud Identity and Access Management resources.
*Frequently Asked Questions (FAQ)*
**Q: What is the format of access tokens in IBM Cloud?**
A: Access tokens in IBM Cloud use the JSON Web Token format with a standard format and are signed using the RS256 algorithm.
**Q: Can I revoke login sessions in IBM Cloud?**
A: Yes, users can manage and revoke their login sessions through the user interface provided by IBM Cloud.
**Q: How long do access tokens and refresh tokens last by default in IBM Cloud?**
A: By default, access tokens are valid for 60 minutes, while refresh tokens are valid for 72 hours.
**Q: Can IAM Administrators configure login session parameters in IBM Cloud?**
A: Yes, IAM Administrators can configure parameters such as active sessions, sign out due to inactivity, and concurrent sessions for login sessions.
**Q: Are refresh tokens generated for all interactions in IBM Cloud?**
A: No, IBM Cloud IAM avoids generating refresh tokens as much as possible, especially for service invocations where login sessions are unnecessary.
**Q: Where can I find more information about IBM Cloud Identity and Access Management?**
A: You can refer to the IBM Cloud Identity and Access Management resources for further information.
*Source: [IBM Cloud Identity and Access Management](https://www.ibm.com/cloud/identity-and-access-management)*