Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

After an access token is generated, sometimes you might have to refresh or renew the old token due to expiration or security concerns. You use the refresh token grant when a new access token is needed. With this grant type, the refresh token acts as credentials that are issued to the client by the authorization server. Issuing a refresh token is optional. If the authorization server issues a refresh token, it is included when issuing an access token. Refresh tokens are issued for all other grant types other than the implicit grant as recommended by the OAuth 2.0 specification. 

Tip

Tip: Be sure to keep the refresh token private, similar to the access token as this token issues access tokens without user interactions.

...

  • The Token API URL is https://gateway.api.cloud.wso2.com/token.
  • payload - "grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION". Replace the <retoken> value with the refresh token that you generate through the UIhave.
  • headers - Authorization :Basic <base64 encoded string>string of consumer-key:consumer-secret>, Content-Type: application/x-www-form-urlencoded. Replace <base64 encoded string>-encoded string-of-consumer-key:consumer-secret> as appropriate.          

...

Code Block
curl -k -d "grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh," -H "Content-Type: application/x-www-form-urlencoded" https://gateway.api.cloud.wso2.com/token

When you use the refresh grant to get a new access token, the refresh token is renewed by default. To change this behavior, set the <RenewRefreshTokenForRefreshGrant> element to false. The new refresh token has a new expiry time and the previous refresh token becomes inactive. To change the expiry time of your refresh token, set the <RefreshTokenValidityPeriod> element is in seconds.

Revoking access tokens

After issuing an access token, a user or an admin can revoke it in case of theft or a security violation. You can do this by calling the Revoke API using a REST Client. The Revoke API's endpoint URL is https://gateway.api.cloud.wso2.com/revoke. The parameters required to invoke this API are as follows:

  • The token to be revoked
  • Consumer key and consumer secret key. Must be encoded using Base64 algorithm

For example:

Code Block
curl -k -d "token=<access-token-to-be-revoked>" -H "Authorization: Basic Base64Encoded(Consumer-key:consumer-secret)" https://gateway.api.cloud.wso2.com/revoke
Tip
Even after revoking a token, it might still be available in the API Gateway cache to consumers until the cache expires in approximately 15 minutes.