From e0326c96c93b394d29cfe0f43da6fd5cdee641f1 Mon Sep 17 00:00:00 2001 From: wangsijie Date: Fri, 23 Aug 2024 14:29:39 +0800 Subject: [PATCH] chore: add changeset (#6492) --- .changeset/funny-goats-tap.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .changeset/funny-goats-tap.md diff --git a/.changeset/funny-goats-tap.md b/.changeset/funny-goats-tap.md new file mode 100644 index 000000000..e01954ed7 --- /dev/null +++ b/.changeset/funny-goats-tap.md @@ -0,0 +1,29 @@ +--- +"@logto/console": minor +"@logto/core": minor +"@logto/phrases": minor +"@logto/schemas": minor +--- + +Add personal access token (PAT) + +Personal access tokens (PATs) provide a secure way for users to grant access tokens without using their credentials and interactive sign-in. + +You can create a PAT by going to the user's detail page in Console or using the Management API `POST /users/:userId/personal-access-tokens`. + +To use a PAT, call the token exchange endpoint `POST /oidc/token` with the following parameters: + +1. `grant_type`: REQUIRED. The value of this parameter must be `urn:ietf:params:oauth:grant-type:token-exchange` indicates that a token exchange is being performed. +2. `resource`: OPTIONAL. The resource indicator, the same as other token requests. +3. `scope`: OPTIONAL. The requested scopes, the same as other token requests. +4. `subject_token`: REQUIRED. The user's PAT. +5. `subject_token_type`: REQUIRED. The type of the security token provided in the `subject_token` parameter. The value of this parameter must be `urn:logto:token-type:personal_access_token`. +6. `client_id`: REQUIRED. The client identifier of the client application that is making the request, the returned access token will contain this client_id claim. + +And the response will be a JSON object with the following properties: + +1. `access_token`: REQUIRED. The access token of the user, which is the same as other token requests like `authorization_code` or `refresh_token`. +2. `issued_token_type`: REQUIRED. The type of the issued token. The value of this parameter must be `urn:ietf:params:oauth:token-type:access_token`. +3. `token_type`: REQUIRED. The type of the token. The value of this parameter must be `Bearer`. +4. `expires_in`: REQUIRED. The lifetime in seconds of the access token. +5. `scope`: OPTIONAL. The scopes of the access token.