Idea Details

OTK Token expiry time should be configurable against each client

Last activity 06-03-2019 08:33 PM
Anon Anon's profile image
06-21-2016 12:48 AM

We noticed that for OAuth token validation, current OTK 3.1.2 ( I would assume other OTK version is the same) setup a global variable as expiry time for each type of tokens, like access token and refresh token.

 

The problem here is, for diferent client application the use case and scenario is various. Client A may need the refresh token last very long, but Client B may need it relatively shorter. With a single variable there could be confliction of demond.

 

I would suggest a way to setup token expiry time configurable for each client. Especially when OTK integrated with portal, would you please add 2 more fields in the "Auth" tab, say "access token expiry time" and "refresh token expiry time", and pass this with the rest of integration data to the gateway? I assume you also need add 2 columns in the client tables to store these configuration data.

 

Regards,

 

Han


Comments

11-28-2017 12:43 PM

Hi all!

I have just added another comment to the blog post that @tkudo has referenced above. In OTK-4.1 it is much simpler do implement this. It requires you to update only one single policy. And that policy is customizable so it will not be overwritten when you update to the next version of OTK.

06-22-2016 11:50 AM

Great info tkudo, thank you.

 

It would be nice to see this as an option in the default policies as well (rather than manual editing).

06-22-2016 02:22 AM

Is this sufficient for you

 

OTK token lifetimes customized for OAuth clients | CA Communities

https://communities.ca.com/blogs/oauth/2016/01/25/otk-token-lifetimes-customized-for-oauth-clients

06-21-2016 07:59 PM

Ive had to configure this afew times  and if i remember correctly i browsed through the various policies replacing the token encapsulated insertions with one that took an extra parameter the client id  ... basically customizing the otk