0

We have an OAuth/OIDC service developed in API Connect/Datapower.

When a user requests a new refresh_token - if any unexpected error occurs in the flow, the new refresh_token is not issued, and their existing refresh_token is revoked. This forces the user to go through a new consent flow. This can be problematic if large numbers of customers are affected due to some unexpected error. We would like the old refresh_token to still be valid in this scenario.

We raised this with our IBM support contact - and he said this works as intended (i.e. - it should revoke the old refresh_token as the first action - it is single use, regardless of outcome).

He did suggest that it is possible to configure the refresh_token to be used multiple times until it is revoked/expired.

I am not sure how to do this - or what versions it is supported in. He said '(in 2018.4.1.x)? For v5 gw, use extension to enable it, You will need the latest DP firmware release for the above'. It's been hard to get any clarity on this. The IBM developer forums even directed me to Stack Overflow...

Does anyone have any more information/experience with enabling a refresh_token to be used multiple times? Or what versions this is supported in (or links to any documentation about this)? I'm struggling to find anything concrete on this.

Thanks

Adrian Milne
  • 1
  • 1

3 Answers3

0

I suppose he's talking about the count configuration. it is located just below Enable refresh tokens.

Section 'OAuth 2' -> Tokens -> Enable refresh tokens -> count

Hope this could be helpfull

Alexan
  • 8,165
  • 14
  • 74
  • 101
user10996729
  • 1
  • 1
  • Thanks for your reply - but I think this setting refers to the number of times you can request a new access token from a refresh token, which is a different issue to the one we have. Cheers. – Adrian Milne Feb 20 '19 at 14:20
0

For IBM API Connect version 2018.4.1, you can specify whether the refresh token for OAuth provider is One time use only or not.

See OAuth native provider>Tokens screen.

APIC user
  • 1
  • Cheers - that sounds exactly what I needed thanks - version and setting. I've upvoted (even though it doesn't show). Thanks +1 – Adrian Milne Feb 20 '19 at 14:21
0

After an access token expires, if the option is enabled in the OAuth provider API, the application can use refresh tokens. Each refresh token is valid for approximately 31 days after it is issued and can be used only once to request a new access token. Along with the new access token, a new refresh token is also returned.

Manoj K
  • 38
  • 1
  • 7