Set time to live for access tokens and refresh tokens, and a time period for maximum
consent for all tokens.
About this task
Access tokens are granted to the client application to allow the application to access resources
on behalf of the application user. Refresh tokens are issued to the client to obtain a new access
token when the current access token becomes invalid or expires, or to obtain additional access
tokens with identical or more narrow scope. You can also specify how long the consent given by the
combination of any number of access and refresh token remains valid.
One of the following roles is required to configure tokens for a native OAuth Provider:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings:Manage permissions
You can select the token settings page for a native OAuth provider immediately on completion of
the creation operation detailed in Configuring a native OAuth provider, or you can update the
token settings for an existing native OAuth provider. If you want to update the token settings for
an existing native OAuth provider, complete the following steps before following the procedure
described in this topic:
- Click .
- Select the required native OAuth provider.
Procedure
Perform the following steps to configure tokens for the native OAuth provider:
-
Click Tokens in the sidebar menu.
-
Define the settings to configure tokens.
Field |
Description |
Access tokens time to live |
Enter the expiration time period in seconds for access tokens. |
One time use access token |
Click the check box to enable one time use for the access token. Access tokens are multiple
use by default which allows them to be used for multiple requests. When one time use is enabled, the
access token will be consumed after one use. The OAuth flow will need to be repeated to obtain
another access token.Note: If you select this option, you must also enable
token management; see one of the following topics, depending on the user interface you are using:
|
Refresh tokens |
Click the check box to enable Refresh tokens. Set the
Count to limit the number of times a refresh token can be issued. Set the
Refresh Token Time to Live value to determine the time to live, or expiration
time period, for each refresh token in seconds. |
One time use refresh token |
Clear the check box to disable one time use for the refresh tokens. Refresh tokens are one
time use by default which allows them to be used one time only to generate an access token and a new
refresh token. When refresh token one time use is disabled then the refresh token count is limited
to one and the refresh token can be used multiple times to generate new access tokens, however,
another refresh token will not be generated unless the initial OAuth flow (Authorization Code or
Password) is repeated.Note: If you select this option, you must also enable
token management; see one of the following topics, depending on the user interface you are using:
|
Maximum consent |
Click the check box to enable Maximum consent and enter the
Maximum Consent Time to Live value in seconds. This is the time to live, or
expiration time period, for all tokens, both access and refresh. |
Token secret |
Click the check box to select the Shared Secret which was configured for the gateway.
If no Shared Secret was entered in the Gateway Configuration, then enter an key name and key value
to use as the token secret. |
Proof Key for Code Exchange |
Proof Key for Code Exchange (PKCE) is a method to protect OAuth 2.0 public clients from
an authorization code interception attack when they use Authorization Code grant requests. You can
enable this extension when deploying with the DataPower® API Gateway.
For more
information, see RFC
7636.
Select the options for your OAuth Providers:
- Enable proof key for code exchange
If selected, enforces PKCE when submitted in Authorization
Code grant requests.
- Always required
If selected, requires PKCE in all Authorization Code grant requests.
- Allow plain
Select this check box to allow the plain challenge method in Authorization Code
grant requests.
|
- Click Save when done.
Results
Depending upon the visibility setting, the OAuth Provider can be used to secure the APIs in
catalog.