Glossary / Security
Continuous Access Evaluation
Continuous access evaluation is a model where access decisions are re-checked during a session in near real time, so events such as a revoked account or a risk change can cut off access before a token would normally expire.
Also: cae, continuous access evaluation protocol
Continuous access evaluation closes the gap left by fixed token lifetimes. With ordinary access tokens, a resource server keeps honoring a token until it expires, even if the user was disabled or the session became risky moments after it was issued. CAE introduces a channel for the identity provider to signal those changes so the token can be rejected sooner.
It builds on the Shared Signals Framework, in which providers and relying parties exchange security event tokens describing changes such as credential revocation, session termination, or device compliance loss. A resource server subscribed to these signals can re-evaluate access mid-session.
The result is a shorter window of exposure. Rather than waiting for a token to lapse and a new one to reflect the change, enforcement happens close to the moment the underlying condition shifts.
For CIAM, continuous access evaluation supports zero-trust expectations for customer sessions, letting a business revoke access quickly after fraud detection, a password reset, or a logout from another device.
Sources
- OpenID Shared Signals Framework: https://openid.net/specs/openid-sharedsignals-framework-1_0.html
Related terms
Standards
- OpenID Shared Signals Framework