This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

OAuth Token Validity Period

WSO2 Identity Server enables defining OAuth token validity periods for all OAuth service providers as well as for a particular service provider. This section explains how to define the token validity periods for all OAuth service providers. 

To learn how to configure the token validity periods of each service provider, see Configuring OAuth Token Validity Period for a Service Provider .

Configurations

Follow the steps below to set up the token configurations for all the service providers. 

Before you begin

  1. Install and run WSO2 Identity Server.
  2. Access the WSO2 Identity Server Management Console as an administrator.
  1. To create an OAuth service provider on the WSO2 Identity Server Management Console:
    1. On the Main menu, click Identity > Service Providers > Add.
    2. Enter all_token_validity_app in the Service Provider Name text box and click Register.
    3. In the Inbound Authentication Configuration section, click OAuth/OpenID Connect Configuration > Configure. 
    4. Enter  http://localhost:8080/playground2  in the Callback Url text box and click Add. 

      The Callback Url is the service provider's URL to which the  authorization codes  are sent. Upon successful authentication, the browser should be redirected to this URL. For more information on authorization codes, see Authorization Code Grant.

      Note that a client Id and client secret have been created.  

  2. Open the identity.xml file in the <IS_HOME>/repository/conf/identity directory.
  3. To change the token validity periods, configure the elements given below. 

    • By default, the token validity periods are set to 3600 milliseconds. If you set a minus value, e.g., -1, the token never expires.
    • The configuration changes mentioned below applies only to the newly created tokens.

    Token TypeElement XPATH of the Token Validity PeriodExample
    Application access token
    /Server/OAuth/AccessTokenDefaultValidityPeriod
    <AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod>
    User access token
    /Server/OAuth/UserAccessTokenDefaultValidityPeriod
    <UserAccessTokenDefaultValidityPeriod>3600</UserAccessTokenDefaultValidityPeriod>
    ID token
    /Server/OAuth/OpenIDConnect/IDTokenExpiration
    <IDTokenExpiration>3600</IDTokenExpiration>
    Refresh token
    /Server/OAuth/RefreshTokenValidityPeriod
    <RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>

    To learn about the token types, see Key Concepts - Tokens.

  4. To define whether to renew the refresh token or not when the refresh token grant is used, configure the following element.  

    Possible ValuesElement XPATHExample
    • true (default value)
    • false
    /Server/OAuth/RenewRefreshTokenForRefreshGrant
    <RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>

    For more information on refresh token grant, see Refresh Token Grant.

Try it out

Let's try to retrieve the user access token validity period that is defined for all the service providers.

  1. To generate access tokens with the authorization code grant type, update the place holders of the following command and run it in a browser. 

    Format
    https://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>&client_id=<SERVICE_PROVIDER_CLIENT_ID>&scope=<scopes>

    Example
    https://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=http://localhost:8080/playground2&client_id=Z4uLkgXHWSk8dXT7kFW04ntLrJQa&scope=somescope_code

    The web application sign in page appears.

  2. Enter admin in the User Name and Password text boxes and click SIGN IN. The web application authorization page appears.

  3. Click Approve. Note that you will be redirected to the callback URL with the authorization code.

  4. To retrieve the access token validity period, update the place holders of the following curl and execute in a command prompt. 

    Format
    curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(SERVICE_PROVIDER_CLIENT_ID:SERVICE_PROVIDER_CLIENT_SECRET)>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=<AUTHORIZATION_CODE>&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>'

    Example
    curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic WjR1TGtnWEhXU2s4ZFhUN2tGVzA0bnRMckpRYTpQbTdjc1Y2b2JtMVhER1ZPa2s2cnplTVJNTVlh' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=e7913209-37df-31a9-a84d-238c74b16e72&redirect_uri=http://localhost:8080/playground2'

    Note that the response will include the user access token validity period defined for all the service providers in the expires_in parameter. 

    Example
    {"access_token":"5b6ae5e6-08c2-36d4-9dfe-baff099ddb29","refresh_token":"e4c868e6-c7b8-3c3b-809e-dcfd8bb2efad","scope":"somescope_code","token_type":"Bearer","expires_in":3600}