HowTo set expiration time for refresh_token

Hi,

  • I’m using login + password to get session token
AuthenticationClients.builder()
                    .setOrgUrl(oktaClientProperties.getOrgUrl())
                    .build().authenticate(login,
                            password.toCharArray(),
                            null,
                            new IgnoringStateHandler());
  • then I use sessionToken to get authorization code
oktaOauthClient.authorize(customOktaProperties.getServiceId(), Map.of(
                    "nonce", "23321",
                    "client_id", customOktaProperties.getClientId(),
                    "response_type", "code",
                    "scope", "offline_access",
                    "redirect_uri", customOktaProperties.getRedirectUrl(),
                    "sessionToken", sessionToken,
                    "state", "sdasdas",
                    "expires_in", Integer.valueOf(60*60*24*365).toString()
            ));
  • then I get refresh_token, access_token using authorization code.
return oktaOauthClient.getUserTokens(customOktaProperties.getServiceId(), Map.of(
                "client_id", customOktaProperties.getClientId(),
                "client_secret", customOktaProperties.getSecret(),
                "grant_type", "authorization_code",
                "redirect_uri", customOktaProperties.getRedirectUrl(),
                "code", authorizationCode,
                "expires_in", Integer.valueOf(60*60*24*365).toString()
        ));

How can I configure expiration time for refresh_token?

If you are using a Custom Authorization Server to issue these tokens, you can set the refresh token lifetime in the applicable Access Rule. However, if you are using the built-in, unc-customizable Org Authorization Server, refresh token lifetime will always be 100 days.