Configuring OAuth Token Validity Period for a Service Provider

By default, all tokens generated through WSO2 Identity Server has a common validity period. Certain service providers however, might require the tokens to have longer lifespans compared to others. WSO2 Identity Server enables administrators to individually configure the access token validity periods of each service provider based on the need.

The token validity periods of each service provider are stored as JSON documents in a registry resource. For all the existing super tenants and new tenants, a new registry resource will be automatically created. For existing tenants, the registry resource has to be manually created.

Let's learn how to create a registry resource and configure the token validity period manually.

To learn how to configure the token validity periods for all service providers, see OAuth Token Validity Period.

To use this feature, apply the WUM Update that was released for WSO2 Identity Server 5.3.0 on 2018-07-12.

If you want to deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

Configurations

Follow the steps below to set up the token configurations for a service provider.

Before you begin

Install and run WSO2 Identity Server.
Access the WSO2 Identity Server Management Console as an administrator.

To create an OAuth service provider on the WSO2 Identity Server Management Console:
1. On the Main menu, click Identity > Service Providers > Add.
2. Enter token_validity_app in the Service Provider Name text box and click Register.
3. In the Inbound Authentication Configuration section, click OAuth/OpenID Connect Configuration > Configure.
4. Enter http://localhost:8080/playground2 in the Callback Url text box and click Add.
  
  The Callback Url is the service provider's URL to which the authorization codes are sent. Upon successful authentication, the browser should be redirected to this URL. For more information on authorization codes, see Authorization Code Grant.
  Note that a client Id and client secret have been created.
  
  For more information adding OAuth service providers, see Configuring Inbound Authentication for a Service Provider - OAuth/OpenID Connect Configuration.
  Remain on the Management Console.
On the Main tab of the Management Console, click Registry > Browse.
Enter /_system/config/identity/config/spTokenExpireTime registry resource path in the Location text box and click Go.
Expand Properties and click Add New Property.
Enter the service-provider-specific token validity configurations as given below and click Add.
1. Name: This is the client key of the service provider.
2. Value: This is the JSON document that has the service-provider-specific token configurations.
  - The token validity periods are measured in milliseconds. If you set a minus value, e.g., -1, the token never expires.
  - Service-provider-specific token validity periods take precedence over their existing global counterparts that are maintained in the identity.xml file in the IS_HOME/repository/conf/identity directory.
  Format
```
{"userAccessTokenExpireTime":<USER_ACCESS_TOKEN_VALIDITY_PERIOD>,"applicationAccessTokenExpireTime":<APPLICATION_ACCESS_TOKEN_VALIDITY_PERIOD>,"refreshTokenExpireTime":<REFRESH_TOKEN_VALIDITY_PERIOD>,"idTokenExpireTime":<ID_TOKEN_VALIDITY_PERIOD>,"renewRefreshToken":<WHETHER_THE_REFRESH_TOKEN_SHOULD_BE_RENEWED_OR_NOT_WHEN_THE_REFRESH_TOKEN_GRANT_IS_USED_POSSIBLE_VALUES:true,false>}
```
  Sample JSON document
```
{"userAccessTokenExpireTime":500000,"applicationAccessTokenExpireTime":500000,"refreshTokenExpireTime":500000,"idTokenExpireTime":7200000,"renewRefreshToken":false}
```
  To learn more about tokens, see Key Concepts - Access Tokens.

Try it out

Let's try to retrieve the user access token validity period defined for the token_validity_app service provider.

To generate access tokens with the authorization code grant type, update the place holders of the following command and run it in a browser.

Format

https://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>&client_id=<SERVICE_PROVIDER_CLIENT_ID>&scope=<scopes>

Example

https://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=http://localhost:8080/playground2&client_id=Z4uLkgXHWSk8dXT7kFW04ntLrJQa&scope=somescope_code

The web application sign in page appears.

Enter admin in the User Name and Password text boxes and click SIGN IN. The web application authorization page appears.
Click Approve. Note that you will be redirected to the callback URL with the authorization code.

To retrieve the access token validity period, update the place holders of the following curl and execute in a command prompt.

Format

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(SERVICE_PROVIDER_CLIENT_ID:SERVICE_PROVIDER_CLIENT_SECRET)>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=<AUTHORIZATION_CODE>&redirect_uri=<SERVICE_PROVIDER_CALLBACK_URL>'

Example

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic WjR1TGtnWEhXU2s4ZFhUN2tGVzA0bnRMckpRYTpQbTdjc1Y2b2JtMVhER1ZPa2s2cnplTVJNTVlh' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=e7913209-37df-31a9-a84d-238c74b16e72&redirect_uri=http://localhost:8080/playground2'

Note that the response will include the user access token validity period of the given service provider in the expires_in parameter.

Example

{"access_token":"8194ac1e-c833-3ed2-8f37-0036b5d82c70","refresh_token":"4667df71-fba8-37c0-8860-c0eabd95031a","scope":"somescope_code","token_type":"Bearer","expires_in":5000}