Overview
Casdoor is built on OAuth and utilizes tokens as users' OAuth tokens.
Access Token and ID Token
In Casdoor, the access_token and id_token are identical. Both tokens contain the same JWT payload with user information and claims. This is a design choice in Casdoor that simplifies token management.
This approach means:
- Both tokens contain the same user information and custom claims
- Both tokens can be used interchangeably for authentication and authorization
- The token format and expiration settings apply to both tokens equally
- You cannot configure separate claims for
access_tokenandid_token
Token Fields
The following are the available token fields in Casdoor:
OwnerNameCreatedTimeApplicationOrganizationUserCodeAccessTokenExpireIn(Tokens will expire in hours)Scope(Scope of authorization)TokenType(e.g.,Bearertype)
After logging into the application, there are three options to generate a JWT Token:
JWTJWT-EmptyJWT-CustomJWT-Standard
The options are as follows: JWT will generate a token containing all User fields, JWT-Empty will generate a token with all non-empty values for the user, and JWT-Custom will generate a token containing custom User Token fields (you can choose attributes in the Token fields). JWT-Standard will generate a token with some standard OIDC token fields include email, phone, gender and Address (Address value in other format is not standard).
