To learn how to configure the token validity periods of each service provider, see Configuring OAuth Token Validity Period for a Service Provider .
Configurations
Before you begin
- Install and run WSO2 Identity Server.
- Access the WSO2 Identity Server Management Console as an administrator.
- To create an OAuth service provider on the WSO2 Identity Server Management Console:
- On the Main menu, click Identity > Service Providers > Add.
- Enter
all_token_validity_app
in the Service Provider Name text box and click Register.
- In the Inbound Authentication Configuration section, click OAuth/OpenID Connect Configuration > Configure.
Enter
http://localhost:8080/playground2
in the Callback Url text box and click Add.The Callback Url is the service provider's URL to which the
authorization codes
are sent. Upon successful authentication, the browser should be redirected to this URL. For more information on authorization codes, see Authorization Code Grant.Note that a
client Id
andclient secret
have been created.
For more information on adding OAuth service providers, see Configuring Inbound Authentication for a Service Provider - OAuth/OpenID Connect Configuration.
- On the Main menu, click Identity > Service Providers > Add.
- Open the
identity.xml
file in the<IS_HOME>/repository/conf/identity
directory. To change the token validity periods, configure the elements given below.
- By default, the token validity periods are set to 3600 milliseconds. If you set a minus value, e.g., -1, the token never expires.
- The configuration changes mentioned below applies only to the newly created tokens.
Token Type Element XPATH of the Token Validity Period Example Application access token /Server/OAuth/AccessTokenDefaultValidityPeriod
<AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod>
User access token /Server/OAuth/UserAccessTokenDefaultValidityPeriod
<UserAccessTokenDefaultValidityPeriod>3600</UserAccessTokenDefaultValidityPeriod>
ID token /Server/OAuth/OpenIDConnect/IDTokenExpiration
<IDTokenExpiration>3600</IDTokenExpiration>
Refresh token /Server/OAuth/RefreshTokenValidityPeriod
<RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
To learn about the token types, see Key Concepts - Tokens.
To define whether to renew the refresh token or not when the refresh token grant is used, configure the following element.
Possible Values Element XPATH Example true
(default value)false
/Server/OAuth/RenewRefreshTokenForRefreshGrant
<RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>
For more information on refresh token grant, see Refresh Token Grant.
Try it out
Let's try to retrieve the user access token validity period that is defined for all the service providers.
To generate access tokens with the authorization code grant type, update the place holders of the following command and run it in a browser.
Formathttps://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>&client_id=<SERVICE_PROVIDER_CLIENT_ID>&scope=<scopes>
Examplehttps://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=http://localhost:8080/playground2&client_id=Z4uLkgXHWSk8dXT7kFW04ntLrJQa&scope=somescope_code
The web application sign in page appears.Enter
admin
in the User Name and Password text boxes and click SIGN IN. The web application authorization page appears.Click Approve. Note that you will be redirected to the callback URL with the
authorization code
.To retrieve the access token validity period, update the place holders of the following curl and execute in a command prompt.
Formatcurl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(SERVICE_PROVIDER_CLIENT_ID:SERVICE_PROVIDER_CLIENT_SECRET)>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=<AUTHORIZATION_CODE>&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>'
Examplecurl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic WjR1TGtnWEhXU2s4ZFhUN2tGVzA0bnRMckpRYTpQbTdjc1Y2b2JtMVhER1ZPa2s2cnplTVJNTVlh' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=e7913209-37df-31a9-a84d-238c74b16e72&redirect_uri=http://localhost:8080/playground2'
Note that the response will include the access token validity period defined for all the service providers.Example{"access_token":"5b6ae5e6-08c2-36d4-9dfe-baff099ddb29","refresh_token":"e4c868e6-c7b8-3c3b-809e-dcfd8bb2efad","scope":"somescope_code","token_type":"Bearer","expires_in":3600}