Layer7 API Management

We have a MAG setup with a Client X.  Client X is marked as a MAG Master Key client so the expiration is set to never expire.  Using Client X's client id we then register multiple sub clients using the dynamic_client_credentials, register_device, and request_token APIs.  The sub clients use our APIs, access tokens expire and they use the refresh token to get new ones.  The expiration of the sub client seems to be static while the access/refresh tokens roll off.  Eventually the times would overlap and the client_id and client_secret expire.

Does the expiration sub clients ever increase?  If so, where is this configured?  If not, is the expectation that the sub clients get new client_id and client_secret by calling the dynamic_client_credentials API again but passing in the device-identifier header?

The lifetime for client_id's generated at /connect/client/initialize can be configured in "OTK-<Version>/Policy Fragments/configuration/ OTK Token Lifetime Configuration". All lifetimes are configured within that policy. Search for "oauth2_client_id_lifetime_SDK_m", the value is configured in minutes.

The mobile SDK's will use those client_id's until they expire and will retrieve new ones at the same APIs afterwards. Always using the "master-key".

To configure variants of that default lifetime for mobile clients please follow my blog entry named OTK token lifetimes customized for OAuth clients and apply it accordingly.

Thanks Sascha.  So after playing around with the settings and doing some testing it looks like the the client app needs to recall dynamic_client_credentials flow with the optional device-identifier header and then call request_token.  The grant_type on the request_token call is NOT refresh since the refresh token is tied to the expired client_id.