This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
OAuth Token Validity Period
To learn how to configure the token validity periods of each service provider, see Configuring OAuth Token Validity Period for a Service Provider .
Configurations
Before you begin
- Install and run WSO2 Identity Server.
- Access the WSO2 Identity Server Management Console as an administrator.
- To create an OAuth service provider on the WSO2 Identity Server Management Console:
- On the Main menu, click Identity > Service Providers > Add.
- EnterÂ
all_token_validity_app
 in the Service Provider Name text box and click Register.
- In the Inbound Authentication Configuration section, click OAuth/OpenID Connect Configuration > Configure.Â
EnterÂ
http://localhost:8080/playground2
 in the Callback Url text box and click Add.ÂThe Callback Url is the service provider's URL to which theÂ
authorization codes
 are sent. Upon successful authentication, the browser should be redirected to this URL. For more information on authorization codes, see Authorization Code Grant.Note that aÂ
client Id
 andÂclient secret
 have been created. Â
For more information on adding OAuth service providers, see Configuring Inbound Authentication for a Service Provider - OAuth/OpenID Connect Configuration.
- On the Main menu, click Identity > Service Providers > Add.
- Open theÂ
identity.xml
 file in theÂ<IS_HOME>/repository/conf/identity
 directory. To change the token validity periods, configure the elements given below.Â
- By default, the token validity periods are set to 3600 milliseconds. If you set a minus value, e.g., -1, the token never expires.
- The configuration changes mentioned below applies only to the newly created tokens.
Token Type Element XPATH of the Token Validity Period Example Application access token /Server/OAuth/AccessTokenDefaultValidityPeriod
<AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod>
User access token /Server/OAuth/UserAccessTokenDefaultValidityPeriod
<UserAccessTokenDefaultValidityPeriod>3600</UserAccessTokenDefaultValidityPeriod>
ID token /Server/OAuth/OpenIDConnect/IDTokenExpiration
<IDTokenExpiration>3600</IDTokenExpiration>
Refresh token /Server/OAuth/RefreshTokenValidityPeriod
<RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
To learn about the token types, see Key Concepts - Tokens.
To define whether to renew the refresh token or not when the refresh token grant is used, configure the following element. Â
Possible Values Element XPATH Example true
 (default value)false
/Server/OAuth/RenewRefreshTokenForRefreshGrant
<RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>
For more information on refresh token grant, see Refresh Token Grant.
Try it out
Let's try to retrieve the user access token validity period that is defined for all the service providers.
To generate access tokens with the authorization code grant type, update the place holders of the following command and run it in a browser.Â
Formathttps://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>&client_id=<SERVICE_PROVIDER_CLIENT_ID>&scope=<scopes>
Examplehttps://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=http://localhost:8080/playground2&client_id=Z4uLkgXHWSk8dXT7kFW04ntLrJQa&scope=somescope_code
The web application sign in page appears.
EnterÂ
admin
 in the User Name and Password text boxes and click SIGN IN. The web application authorization page appears.Click Approve. Note that you will be redirected to the callback URL with theÂ
authorization code
.To retrieve the access token validity period, update the place holders of the following curl and execute in a command prompt.Â
Formatcurl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(SERVICE_PROVIDER_CLIENT_ID:SERVICE_PROVIDER_CLIENT_SECRET)>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=<AUTHORIZATION_CODE>&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>'
Examplecurl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic WjR1TGtnWEhXU2s4ZFhUN2tGVzA0bnRMckpRYTpQbTdjc1Y2b2JtMVhER1ZPa2s2cnplTVJNTVlh' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=e7913209-37df-31a9-a84d-238c74b16e72&redirect_uri=http://localhost:8080/playground2'
Note that the response will include the user access token validity period defined for all the service providers in the
expires_in
parameter.ÂExample{"access_token":"5b6ae5e6-08c2-36d4-9dfe-baff099ddb29","refresh_token":"e4c868e6-c7b8-3c3b-809e-dcfd8bb2efad","scope":"somescope_code","token_type":"Bearer","expires_in":3600}