/
Configuring OAuth Token Validity Period for a Service Provider

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring OAuth Token Validity Period for a Service Provider

Apr 18, 2019

By default, all tokens generated through WSO2 Identity Server has a common validity period. Certain service providers however, might require the tokens to have longer lifespans compared to others. WSO2 Identity Server enables administrators to individually configure the access token validity periods of each service provider based on the need. 

The token validity periods of each service provider are stored as JSON documents in a registry resource. For all the existing super tenants and new tenants, a new registry resource will be automatically created. For existing tenants, the registry resource has to be manually created.

Let's learn how to create a registry resource and configure the token validity period manually. 

To learn how to configure the token validity periods for all service providers, see OAuth Token Validity Period.

To use this feature, apply the WUM Update that was released for WSO2 Identity Server 5.3.0 on 2018-07-12.

Configurations

Follow the steps below to set up the token configurations for a service provider.

Before you begin

  1. Install and run WSO2 Identity Server.

  2. Access the WSO2 Identity Server Management Console as an administrator.

  1. To create an OAuth service provider on the WSO2 Identity Server Management Console:

    1. On the Main menu, click Identity > Service Providers > Add.

    2. Enter token_validity_app in the Service Provider Name text box and click Register.

    3. In the Inbound Authentication Configuration section, click OAuth/OpenID Connect Configuration > Configure

    4. Enter http://localhost:8080/playground2 in the Callback Url text box and click Add. 

      Note that a client Id and client secret have been created.  

      Remain on the Management Console. 

  2. On the Main tab of the Management Console, click Registry > Browse.

  3. Enter /_system/config/identity/config/spTokenExpireTime registry resource path in the Location text box and click Go.

  4. Expand Properties and click Add New Property.

  5. Enter the service-provider-specific token validity configurations as given below and click Add.

    1. Name: This is the client key of the service provider.  

    2. Value: This is the JSON document that has the service-provider-specific token configurations. 

      Format

      {"userAccessTokenExpireTime":<USER_ACCESS_TOKEN_VALIDITY_PERIOD>,"applicationAccessTokenExpireTime":<APPLICATION_ACCESS_TOKEN_VALIDITY_PERIOD>,"refreshTokenExpireTime":<REFRESH_TOKEN_VALIDITY_PERIOD>,"idTokenExpireTime":<ID_TOKEN_VALIDITY_PERIOD>,"renewRefreshToken":<WHETHER_THE_REFRESH_TOKEN_SHOULD_BE_RENEWED_OR_NOT_WHEN_THE_REFRESH_TOKEN_GRANT_IS_USED_POSSIBLE_VALUES:true,false>}

      Sample JSON document

      {"userAccessTokenExpireTime":500000,"applicationAccessTokenExpireTime":500000,"refreshTokenExpireTime":500000,"idTokenExpireTime":7200000,"renewRefreshToken":false}

Try it out

Let's try to retrieve the user access token validity period defined for the token_validity_app service provider. 

  1. To generate access tokens with the authorization code grant type, update the place holders of the following command and run it in a browser. 

    Format

    https://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>&client_id=<SERVICE_PROVIDER_CLIENT_ID>&scope=<scopes>

    Example

    https://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=http://localhost:8080/playground2&client_id=Z4uLkgXHWSk8dXT7kFW04ntLrJQa&scope=somescope_code

    The web application sign in page appears.

  2. Enter admin in the User Name and Password text boxes and click SIGN IN. The web application authorization page appears.

  3. Click Approve. Note that you will be redirected to the callback URL with the authorization code.

  4. To retrieve the access token validity period, update the place holders of the following curl and execute in a command prompt. 

    Format

    curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(SERVICE_PROVIDER_CLIENT_ID:SERVICE_PROVIDER_CLIENT_SECRET)>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=<AUTHORIZATION_CODE>&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>'

    Example

    curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic WjR1TGtnWEhXU2s4ZFhUN2tGVzA0bnRMckpRYTpQbTdjc1Y2b2JtMVhER1ZPa2s2cnplTVJNTVlh' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=e7913209-37df-31a9-a84d-238c74b16e72&redirect_uri=http://localhost:8080/playground2'

    Note that the response will include the user access token validity period of the given service provider in the expires_in parameter. 

    Example

    {"access_token":"8194ac1e-c833-3ed2-8f37-0036b5d82c70","refresh_token":"4667df71-fba8-37c0-8860-c0eabd95031a","scope":"somescope_code","token_type":"Bearer","expires_in":5000}