HowTo set expiration time for refresh_token

ivan_petrov · December 23, 2021, 4:08pm

Hi,

I’m using login + password to get session token

AuthenticationClients.builder()
                    .setOrgUrl(oktaClientProperties.getOrgUrl())
                    .build().authenticate(login,
                            password.toCharArray(),
                            null,
                            new IgnoringStateHandler());

then I use sessionToken to get authorization code

oktaOauthClient.authorize(customOktaProperties.getServiceId(), Map.of(
                    "nonce", "23321",
                    "client_id", customOktaProperties.getClientId(),
                    "response_type", "code",
                    "scope", "offline_access",
                    "redirect_uri", customOktaProperties.getRedirectUrl(),
                    "sessionToken", sessionToken,
                    "state", "sdasdas",
                    "expires_in", Integer.valueOf(60*60*24*365).toString()
            ));

then I get refresh_token, access_token using authorization code.

return oktaOauthClient.getUserTokens(customOktaProperties.getServiceId(), Map.of(
                "client_id", customOktaProperties.getClientId(),
                "client_secret", customOktaProperties.getSecret(),
                "grant_type", "authorization_code",
                "redirect_uri", customOktaProperties.getRedirectUrl(),
                "code", authorizationCode,
                "expires_in", Integer.valueOf(60*60*24*365).toString()
        ));

How can I configure expiration time for refresh_token?

andrea · December 28, 2021, 11:22pm

If you are using a Custom Authorization Server to issue these tokens, you can set the refresh token lifetime in the applicable Access Rule. However, if you are using the built-in, unc-customizable Org Authorization Server, refresh token lifetime will always be 100 days.

system · February 8, 2024, 9:09pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.