Layer7 API Management

  • Private Community

  • 1.  Hard timelimit on a refresh token

    Posted Jan 17, 2017 09:42 AM

    Is there a way to set Hardlimit on the refresh token expiry ?

     

    In other words, A client can use refresh token that is  issued for 24 hrs and no matter how many time refresh token is refreshed, I want the expiration of original refresh token expiration time being enforced.



  • 2.  Re: Hard timelimit on a refresh token

    Broadcom Employee
    Posted Jan 17, 2017 10:00 AM

    Kaladhar

     

    The refresh token has a hard limit.  The refresh token is only valid up to 24 hours (if that’s what you set the value to).

     

    Here’s the properties that you would need to update:

     

    https://docops.ca.com/ca-api-management-oauth-toolkit/3-6/en/customizing-the-oauth-toolkit/configure-token-lifetime-properties

     

     

     

    Derek Orr

    ca technologies

    Principal Consultant, CA API Management Presales

    m: 778-980-0029

    Email = Derek.Orr@ca.com<mailto:Derek.Orr@ca.com>

     

    CA API Management Community: https://communities.ca.com/community/ca-api-management-community



  • 3.  Re: Hard timelimit on a refresh token

    Posted Jan 18, 2017 10:39 PM

    Derek,

    Thank you for replying. if I  use refresh grant and use the refresh token issued initially, then i will get another refresh token(along with access token) that is valid for another 24hrs overwriting the previous one. I do not want that to happen.Is there a way to limit that ?



  • 4.  Re: Hard timelimit on a refresh token
    Best Answer

    Posted Jan 19, 2017 11:36 AM

    Even though Refresh Token life time is pre-configured in the policy, every time a new Access Token is requested, OTK framework is issuing new Access Token and also extending the Refresh Token lifetime. Due to this behavior Refresh Token never expires as long as it is being used for getting new Access Token. 

     

    In theory Refresh Token should never be renewed, always should have fixed life time. It depends on how the OAuth 2.0 protocol is interpreted and varies based on the implementation. 

     

    To address this specific situation with OTK framework, we have modified the the OTK policies on the gateway stop renewing the Refresh Token and force to users to re-authenticate and authorize application to get new Refresh Token. We are using OTK Framework 3.0 on v8.3 gateways. Not sure about this behavior in new versions. Following are the policies you may have to reveiw and customize to achieve what you need for your application.

     

    1. OTK grant_type=REFRESH_TOKEN - Policy Fragment

    2. OTK grant_type=REFRESH_TOKEN - Encapsulated Assertion

    3. auth/oauth/v2/token - Service