By default, all tokens generated through WSO2 Identity Server has a common validity period. Certain service providers however, might require the tokens to have longer lifespans compared to others. WSO2 Identity Server enables administrators to individually configure the access token validity periods of each service provider based on the need.
The token validity periods of each service provider are stored as JSON documents in a registry resource. For all the existing super tenants and new tenants, a new registry resource will be automatically created. For existing tenants, the registry resource has to be manually created.
Let's learn how to create a registry resource and configure the token validity period manually.
To learn how to configure the token validity periods for all service providers, see OAuth Token Validity Period.
To use this feature, apply the WUM Update that was released for WSO2 Identity Server 5.3.0 on 2018-07-12.
If you want to deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.
Configurations
Follow the steps below to set up the token configurations for a service provider.
Before you begin
- Install and run WSO2 Identity Server.
- Access the WSO2 Identity Server Management Console as an administrator.
- To create an OAuth service provider on the WSO2 Identity Server Management Console:
- On the Main menu, click Identity > Service Providers > Add.
- Enter
token_validity_app
in the Service Provider Name text box and click Register.
- In the Inbound Authentication Configuration section, click OAuth/OpenID Connect Configuration > Configure.
Enter
http://localhost:8080/playground2
in the Callback Url text box and click Add.The Callback Url is the service provider's URL to which the
authorization codes
are sent. Upon successful authentication, the browser should be redirected to this URL. For more information on authorization codes, see Authorization Code Grant.Note that a
client Id
andclient secret
have been created.
For more information adding OAuth service providers, see Configuring Inbound Authentication for a Service Provider - OAuth/OpenID Connect Configuration.
Remain on the Management Console.
- On the Main menu, click Identity > Service Providers > Add.
- On the Main tab of the Management Console, click Registry > Browse.
- Enter
/_system/config/identity/config/spTokenExpireTime
registry resource path in the Location text box and click Go.
Expand Properties and click Add New Property.
Enter the service-provider-specific token validity configurations as given below and click Add.
Name: This is the
client key
of the service provider.Value: This is the JSON document that has the service-provider-specific token configurations.
- The token validity periods are measured in milliseconds. If you set a minus value, e.g., -1, the token never expires.
Service-provider-specific token validity periods take precedence over their existing global counterparts that are maintained in the
identity.xml
file in theIS_HOME/repository/conf/identity
directory.
Format{"userAccessTokenExpireTime":<USER_ACCESS_TOKEN_VALIDITY_PERIOD>,"applicationAccessTokenExpireTime":<APPLICATION_ACCESS_TOKEN_VALIDITY_PERIOD>,"refreshTokenExpireTime":<REFRESH_TOKEN_VALIDITY_PERIOD>,"idTokenExpireTime":<ID_TOKEN_VALIDITY_PERIOD>,"renewRefreshToken":<WHETHER_THE_REFRESH_TOKEN_SHOULD_BE_RENEWED_OR_NOT_WHEN_THE_REFRESH_TOKEN_GRANT_IS_USED_POSSIBLE_VALUES:true,false>}
Sample JSON document{"userAccessTokenExpireTime":500000,"applicationAccessTokenExpireTime":500000,"refreshTokenExpireTime":500000,"idTokenExpireTime":7200000,"renewRefreshToken":false}
To learn more about tokens, see Key Concepts - Access Tokens.
Try it out
Let's try to retrieve the user access token validity period defined for the token_validity_app service provider.
To generate access tokens with the authorization code grant type, update the place holders of the following command and run it in a browser.
Formathttps://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>&client_id=<SERVICE_PROVIDER_CLIENT_ID>&scope=<scopes>
Examplehttps://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=http://localhost:8080/playground2&client_id=Z4uLkgXHWSk8dXT7kFW04ntLrJQa&scope=somescope_code
The web application sign in page appears.
Enter
admin
in the User Name and Password text boxes and click SIGN IN. The web application authorization page appears.Click Approve. Note that you will be redirected to the callback URL with the
authorization code
.To retrieve the access token validity period, update the place holders of the following curl and execute in a command prompt.
Formatcurl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(SERVICE_PROVIDER_CLIENT_ID:SERVICE_PROVIDER_CLIENT_SECRET)>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=<AUTHORIZATION_CODE>&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>'
Examplecurl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic WjR1TGtnWEhXU2s4ZFhUN2tGVzA0bnRMckpRYTpQbTdjc1Y2b2JtMVhER1ZPa2s2cnplTVJNTVlh' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=e7913209-37df-31a9-a84d-238c74b16e72&redirect_uri=http://localhost:8080/playground2'
Note that the response will include the user access token validity period of the given service provider in the
expires_in
parameter.Example{"access_token":"8194ac1e-c833-3ed2-8f37-0036b5d82c70","refresh_token":"4667df71-fba8-37c0-8860-c0eabd95031a","scope":"somescope_code","token_type":"Bearer","expires_in":5000}