Configuring tokens for a native OAuth provider

Set time to live for access tokens and refresh tokens, and a time period for maximum consent for all tokens.

About this task

Access tokens are granted to the client application to allow the application to access resources on behalf of the application user. Refresh tokens are issued to the client to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or more narrow scope. You can also specify how long the consent given by the combination of any number of access and refresh token remains valid.

One of the following roles is required to configure tokens for a native OAuth Provider:

  • Organization Administrator
  • Owner
  • Custom role with the Settings > Manage permissions

You can select the token settings page for a native OAuth provider immediately on completion of the creation operation detailed in Configuring a native OAuth provider, or you can update the token settings for an existing native OAuth provider. If you want to update the token settings for an existing native OAuth provider, complete the following steps before following the procedure described in this topic:

  1. Click Resources icon Resources > OAuth Providers.
  2. Select the required native OAuth provider.

Procedure

  1. Click Tokens in the sidebar menu.
  2. Define the settings to configure tokens.
    Field Description
    Access tokens time to live Enter the expiration time period in seconds for access tokens.
    DataPower API Gateway
onlyOne time use access token Click the check box to enable one time use for the access token. Access tokens are multiple use by default which allows them to be used for multiple requests. When one time use is enabled, the access token will be consumed after one use. The OAuth flow will need to be repeated to obtain another access token.
    Note: If you select this option, you must also enable token management; see one of the following topics, depending on the user interface you are using:
    Refresh tokens Click the check box to enable Refresh tokens. Set the Count to limit the number of times a refresh token can be issued. Set the Refresh Token Time to Live value to determine the time to live, or expiration time period, for each refresh token in seconds.
    One time use refresh token Clear the check box to disable one time use for the refresh tokens. Refresh tokens are one time use by default which allows them to be used one time only to generate an access token and a new refresh token. When refresh token one time use is disabled then the refresh token count is limited to one and the refresh token can be used multiple times to generate new access tokens, however, another refresh token will not be generated unless the initial OAuth flow (Authorization Code or Password) is repeated.
    Note: If you select this option, you must also enable token management; see one of the following topics, depending on the user interface you are using:
    Maximum consent Click the check box to enable Maximum consent and enter the Maximum Consent Time to Live value in seconds. This is the time to live, or expiration time period, for all tokens, both access and refresh.
    DataPower API Gateway
onlyToken secret Click the check box to select the Shared Secret which was configured for the gateway. If no Shared Secret was entered in the Gateway Configuration, then enter an key name and key value to use as the token secret.
    DataPower API Gateway
onlyProof Key for Code Exchange

    Proof Key for Code Exchange (PKCE) is a method to protect OAuth 2.0 public clients from an authorization code interception attack when they use Authorization Code grant requests. You can enable this extension when deploying with the DataPower® API Gateway.

    For more information, see RFC 7636.

    Select the options for your OAuth Providers:
    • Enable proof key for code exchange

      If selected, enforces PKCE when submitted in Authorization Code grant requests.

    • Always required

      If selected, requires PKCE in all Authorization Code grant requests.

    • Allow plain

      Select this check box to allow the plain challenge method in Authorization Code grant requests.

  3. Click Save when done.

Results

You can use the OAuth Provider to secure the APIs in a catalog.