Layer7 API Management

I dont want to expose refresh token to consumer application. so when consumer app wants to generate new access token using refresh token, it will pass only access token to gateway api, this api will take the access token as input and fetch the refresh token from gw db. Once refresh token is fetched, based on this refresh token, api will generate new access and refresh token and send only access token to consumer app. 
can you share the sample policy which will fetch refresh token based on access token as input ?

------------------------------
Technology Lead
Infosys Limited
------------------------------

Hello,

Why would you want this what is the requirement you are trying to achieve? The intent of the refresh _token is to allow client to issue new access_token if token is expired. 



Thanks
Barry
Original Message:
Sent: 05-21-2020 07:51 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

I dont want to expose refresh token to consumer application. so when consumer app wants to generate new access token using refresh token, it will pass only access token to gateway api, this api will take the access token as input and fetch the refresh token from gw db. Once refresh token is fetched, based on this refresh token, api will generate new access and refresh token and send only access token to consumer app.
can you share the sample policy which will fetch refresh token based on access token as input ?

------------------------------
Technology Lead
Infosys Limited
------------------------------

we dont want to expose refresh token to end user because user can keep getting access token infinitely using the refresh token.

------------------------------
Technology Lead
Infosys Limited
------------------------------

Original Message:
Sent: 05-26-2020 03:56 PM
From: BARRY STERN
Subject: Fetch refresh token based on access token

Hello,

Why would you want this what is the requirement you are trying to achieve? The intent of the refresh _token is to allow client to issue new access_token if token is expired.



Thanks
Barry
Original Message:
Sent: 05-21-2020 07:51 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

I dont want to expose refresh token to consumer application. so when consumer app wants to generate new access token using refresh token, it will pass only access token to gateway api, this api will take the access token as input and fetch the refresh token from gw db. Once refresh token is fetched, based on this refresh token, api will generate new access and refresh token and send only access token to consumer app.
can you share the sample policy which will fetch refresh token based on access token as input ?

------------------------------
Technology Lead
Infosys Limited
------------------------------

Hello,

You can configure this behavior of refresh token lifetime. by setting reuse_refresh_expiration to true to retain the original refresh_token expiration to avoid infinite refresh.

refer to section "Configure Refresh Token Behavior"
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/token-configuration.html
Original Message:
Sent: 05-27-2020 01:57 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

we dont want to expose refresh token to end user because user can keep getting access token infinitely using the refresh token.

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 05-26-2020 03:56 PM
From: BARRY STERN
Subject: Fetch refresh token based on access token

Hello,

Why would you want this what is the requirement you are trying to achieve? The intent of the refresh _token is to allow client to issue new access_token if token is expired.



Thanks
Barry
Original Message:
Sent: 05-21-2020 07:51 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

I dont want to expose refresh token to consumer application. so when consumer app wants to generate new access token using refresh token, it will pass only access token to gateway api, this api will take the access token as input and fetch the refresh token from gw db. Once refresh token is fetched, based on this refresh token, api will generate new access and refresh token and send only access token to consumer app.
can you share the sample policy which will fetch refresh token based on access token as input ?

------------------------------
Technology Lead
Infosys Limited
------------------------------

By default, the refresh token is valid for 1 week (oauth2_refresh_token_lifetime_sec). If you set the reuse_refresh_expiration to false then the client needs to authenticate at least once a week. You can also set the refresh token lifetime to something less than 1 week.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/customizing-the-oauth-toolkit/configure-token-lifetime-properties.html
Original Message:
Sent: 05-27-2020 09:26 AM
From: BARRY STERN
Subject: Fetch refresh token based on access token

Hello,

You can configure this behavior of refresh token lifetime. by setting reuse_refresh_expiration to true to retain the original refresh_token expiration to avoid infinite refresh.

refer to section "Configure Refresh Token Behavior"
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/token-configuration.html
Original Message:
Sent: 05-27-2020 01:57 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

we dont want to expose refresh token to end user because user can keep getting access token infinitely using the refresh token.

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 05-26-2020 03:56 PM
From: BARRY STERN
Subject: Fetch refresh token based on access token

Hello,

Why would you want this what is the requirement you are trying to achieve? The intent of the refresh _token is to allow client to issue new access_token if token is expired.



Thanks
Barry
Original Message:
Sent: 05-21-2020 07:51 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

I dont want to expose refresh token to consumer application. so when consumer app wants to generate new access token using refresh token, it will pass only access token to gateway api, this api will take the access token as input and fetch the refresh token from gw db. Once refresh token is fetched, based on this refresh token, api will generate new access and refresh token and send only access token to consumer app.
can you share the sample policy which will fetch refresh token based on access token as input ?

------------------------------
Technology Lead
Infosys Limited
------------------------------

Original Message:
Sent: 5/27/2020 9:26:00 AM
From: Barry Stern
Subject: RE: Fetch refresh token based on access token

Hello,

You can configure this behavior of refresh token lifetime. by setting reuse_refresh_expiration to true to retain the original refresh_token expiration to avoid infinite refresh.

refer to section "Configure Refresh Token Behavior"
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/token-configuration.html
Original Message:
Sent: 05-27-2020 01:57 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

we dont want to expose refresh token to end user because user can keep getting access token infinitely using the refresh token.

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 05-26-2020 03:56 PM
From: BARRY STERN
Subject: Fetch refresh token based on access token

Hello,

Why would you want this what is the requirement you are trying to achieve? The intent of the refresh _token is to allow client to issue new access_token if token is expired.



Thanks
Barry
Original Message:
Sent: 05-21-2020 07:51 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

I dont want to expose refresh token to consumer application. so when consumer app wants to generate new access token using refresh token, it will pass only access token to gateway api, this api will take the access token as input and fetch the refresh token from gw db. Once refresh token is fetched, based on this refresh token, api will generate new access and refresh token and send only access token to consumer app.
can you share the sample policy which will fetch refresh token based on access token as input ?

------------------------------
Technology Lead
Infosys Limited
------------------------------

Yes, that is correct. For your use case reuse_refresh_expiration needs to be true.

reuse_refresh_expiration

Either  true  or  false . Determines whether a new or the original expiration time is used for the refresh token. If false, when a refresh token is used, a new expiration time is issued. If true, the original expiration time is maintained for any newly issued or reused refresh token.

Original Message:
Sent: 05-27-2020 09:56 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

you mean if I set reuse_refresh_expiration to true, whatever expiration value was set at the first time say 1 hour, new refresh token expiration value will always < 1 hour ? and after one hour, final refresh token will not be able to regenerate new access and refresh toke, right ?

Thanks & Regards

SACHIN S. GHUMBRE  

Original Message:
Sent: 5/27/2020 9:26:00 AM
From: Barry Stern
Subject: RE: Fetch refresh token based on access token

Hello,

You can configure this behavior of refresh token lifetime. by setting reuse_refresh_expiration to true to retain the original refresh_token expiration to avoid infinite refresh.

refer to section "Configure Refresh Token Behavior"
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/configure-authentication/token-configuration.html
Original Message:
Sent: 05-27-2020 01:57 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

we dont want to expose refresh token to end user because user can keep getting access token infinitely using the refresh token.

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 05-26-2020 03:56 PM
From: BARRY STERN
Subject: Fetch refresh token based on access token

Hello,

Why would you want this what is the requirement you are trying to achieve? The intent of the refresh _token is to allow client to issue new access_token if token is expired.



Thanks
Barry
Original Message:
Sent: 05-21-2020 07:51 AM
From: Sachin Ghumbre
Subject: Fetch refresh token based on access token

I dont want to expose refresh token to consumer application. so when consumer app wants to generate new access token using refresh token, it will pass only access token to gateway api, this api will take the access token as input and fetch the refresh token from gw db. Once refresh token is fetched, based on this refresh token, api will generate new access and refresh token and send only access token to consumer app.
can you share the sample policy which will fetch refresh token based on access token as input ?

------------------------------
Technology Lead
Infosys Limited
------------------------------