The Sheep Service went live 28th March 2022, Cattle Service coming soon.

B2C Tokens


    Overview

    Livestock Information Service Identity Platform is underpinned by Azure AD B2C which supports the OAuth 2.0 and OpenID Connect protocols, which makes use of tokens for authentication and secure access to resources. All tokens used by LIS identity platform are JSON web tokens (JWTs) that contain assertions/claims of information about the bearer and the subject of the token.

    Token Types

    The following tokens are used in communication with Livestock Identity Platform:

    • Access token A JWT that contains claims that LIS uses to identify the granted permissions to livestock APIs
    • ID token A JWT that contains claims that LIS uses to identify users in livestock applications
    • Refresh token Refresh tokens are used to acquire new ID tokens and access tokens in an OAuth 2.0 flow

    Tokens Life-time behaviour

    Access Token

    Before interacting with LIS API, your applications will need to get hold of an access by following LIS authentication process. (Step-4 below)

    Access tokens will be valid for 60 minutes. You will also receive refresh token at this point.

    Refresh Token

    The maximum time period before which a refresh token can be used to acquire a new access token when interacting with LIS system is 90 Days. Your application can do this in the background. If your application does not get a new refresh token for 90 Days, user will have to login next time application needs to interact with Livestock API.

    Lifetime Length

    The lifetime length is 180 Days. After this time period elapses, the user is forced to reauthenticate, irrespective of the validity period of the most recent refresh token acquired by your application.

    Livestock Recommendation

    It is recommended for third party developers to utilize Microsoft MSAL libraries to handle these authentication journeys.

    The Microsoft Authentication Library (MSAL) enables developers to acquire tokens from the Microsoft identity platform(e.g. Livestock identity platform) in order to authenticate users and access secured web APIs. MSAL supports many different application architectures and platforms including .NET, JavaScript, Java, Python, Android, and iOS.

    To read more about MSAL go to https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-overview.

    SPA Exception:

    Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation. Learn more about the security implications of refresh tokens in the browser. More details about Configure tokens in Azure Active Directory B2C.

    Summary

    If your application keeps on refreshing the LIS B2C refresh token in the background regularly, the user will have to authenticate (enter credentials) only twice a year.