Skip to Content

OAUTH2 'Token Lifetime' and 'Refresh Token' Settings

Sep 28, 2017 at 09:38 AM


avatar image

Hi All,

We have configured OAUTH2 and set Token Lifetime to the default 3600 seconds.

However after 24 hours the same token is still valid and I don't know why.

Refresh Token setting is currently switched off.

Does the 'Refresh Token' setting have any influence over the Token Lifetime setting? i.e. does it need to be activated for the Token Lifetime setting to expire?

The help for the 'Refresh token' field states:

The Refresh Allowed flag has multiple dependencies:

  • If the flag is set and the Application Server ABAP receives a valid access token request, the AS ABAP issues a new refresh token to the client and includes it in the access token response. The AS ABAP revokes old refresh tokens that were issued for the same client / user / scope combination. Refresh tokens are issued both in grant type authorization code and SAML 2.0 bearer assertion.
  • If the flag is set to active, the client can use a refresh token to request a new access token without user interaction. This means that the client can send a refresh request. If the flag is set to not active, refresh requests are not allowed, and a request attempt results in an error response.
  • If you disallow refresh requests by deactivating the Refresh Allowed flag, existing refresh tokens are not affected and remain valid. They may be reused after the administrator has activated the Refresh Allowed flag again.
  • Each time the AS ABAP receives a valid refresh request from a client, it issues a new refresh token and includes it in the refresh response. After that, the AS ABAP revokes the refresh token received in the refresh request. The client should also replace its current refresh token by the new refresh token received from the AS ABAP.
  • You can restrict the validity period of issued refresh tokens by defining the period in Refresh Token Expires After. The AS ABAP automatically revokes and cleans up expired refresh tokens. If you do not change this value and keep the default value, the AS ABAP restricts the validity period of issued refresh tokens to 2 years. This ensures that the AS ABAP detects refresh tokens that are not used anymore by the client and cleans them up.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

0 Answers