This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Issuing New Tokens Per Request

When there are multiple token requests from a combination of the same clientid, user and scopes, the same access token and refresh token are returned for all the token requests until the token expires.

This feature issues a new access token and refresh token for each token request after revoking the existing active token. 

To use this feature, apply the 3902 WUM update for WSO2 IS 5.7.0 using the WSO2 Update Manager (WUM).

To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

Try it out

Add the following configuration within the <OAuth> tag in the identity.xml file in <is_home>/repository/conf/identity  t o enable issuing a new token per request

<RenewTokenPerRequest>true</RenewTokenPerRequest>

If the OAuthTokenGenerator extension point is used, it overrides the value of RenewTokenPerRequest. Here, the code level changes take precedence over our configuration change. Hence, this configuration will not affect the flow of self-contained access tokens, which by default renew access tokens for every request. This will not affect the flow of the refresh token grant type either, which renews the access token by default, and the refresh token depending on the RenewRefreshTokenForRefreshGrant configuration in the identity.xml file.

Test it out

After enabling the feature, create an OAuth application in the identity server and obtain its Client ID and Client Secret. Now we can generate the tokens by mentioning the password grant type in the cURL command given below.

curl -v -X POST -H "Authorization: Basic <base64encoded clientId:clientSecrect>" -k -d "grant_type=password&username=admin&password=admin&scope=somescope" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token


When you call the above URL for the second time, a new token is generated. As long as it's the same clientID, user, and scopes, a new token is generated regardless of which grant type you use in the second call.   

Given below are the responses to the first and the second requests.



You can also introspect the old access token using the following cURL command. You can see that it is inactive now.