API Protection token management properties
When we configure API Protection for OAuth and OpenID Connect, we must specify properties for token management.
The local management interface (LMI) page OpenID Conect and API Protection has a section that prompts for settings for token management. Refer to the following list of properties to determine the appropriate value, for your deployment, for each property.
For configuration task instructions, see Create an API protection definition.
- Access token lifetime (seconds)
- Number of seconds an access token is valid. When the access token becomes invalid, the client cannot use it to access the protected resource.
- Default value: 3600 seconds.
- Minimum value: 1 second.
- Access token length
- Number of characters in an access token.
- Default value: 20 characters.
- Minimum value: one character.
- Maximum value: 500 characters.
- Enforce single-use authorization grant
- If enabled, all the authorization grant tokens are revoked after an access token is validated. If enabled, resource requests that involve redirects fail because the access token is validated multiple times.
- Default value: disabled
- Authorization code lifetime (seconds)
- Number of seconds that an authorization code is valid.
- This option applies only to an authorization code grant type. The authorization server generates an authorization code and sends it to the client. The client uses the authorization code in exchange for an access token.
- Default value: 300 seconds.
- Minimum value: 1 second.
- Authorization code length
- Number of characters in an authorization code.
- Default value: 30 characters.
- Minimum value: one character.
- Maximum value: 500 characters.
- Issue refresh token
- Whether a refresh token is sent to the client. A refresh token obtains a new pair of access and refresh tokens. This option is only applicable to the Authorization code and Resource owner password credentials grant types.
- Maximum authorization grant lifetime (seconds)
- Maximum number of seconds the resource owner authorizes the client to access the protected resource.
- This option is available only if we enable the Issue refresh token option.
- The value for this lifetime must be greater than the values specified for the authorization code and access token lifetimes.
- When this lifetime expires, the resource owner must reauthorize the client to obtain an authorization grant to access the protected resource.
- Default value: 604800 seconds.
- Minimum value: 1 second.
- Refresh token length
- Number of characters in a refresh token. This option is available only if you enable the Issue refresh token option.
- Default value: 40 characters.
- Minimum value: 1 characters.
- Maximum value: 500 characters.
- Enforce single access token per authorization grant
- If enabled, all previously granted access tokens are revoked after a new access token is generated presenting the refresh token to the authorization server.
- This option is available only if we enable the Issue refresh token option.
- Default value: enabled
- Enable multiple refresh tokens for fault tolerance
How refresh tokens are handled. When this option is enabled, and a refresh request is made, the initially-used refresh token remains active (assuming it was initially active), even after a successful refresh request is made and a new token pair (access token and refresh token) is returned. Only upon the subsequent use of the new access token or new refresh token will the initially presented refresh token be invalidated. If the initially used refresh token is presented again, the tokens issued on the first refresh request (Pair 1) are revoked, and another token pair (access token and refresh token) is issued. This new pair (Pair 2) is valid, and Pair 1 is invalid.
- This option is available only if we enable the Issue refresh token option.
- Default value: disabled
- Enable PIN policy
- Provides more protection during the exchange of a refresh token fro a new pair of access and refresh tokens.
- This option is available only if we enable the Issue refresh token option. If enabled, configure the PIN length.
- PIN Length
- Number of characters in a PIN. This option is available only if we enable the Enable PIN policy option. We can use the runtime.hashAlgorithm runtime parameter to configure the algorithm used to hash the PIN before it is stored. For information, see Advanced configuration properties.
- Default value: 4 characters.
- Minimum value: 3 characters.
- Maximum value: 12 characters.
- Token character set
- By default, a set of alphanumeric characters is displayed. We can specify the set of characters used to generate tokens in the following methods:
- Manually enter characters
- Select from a pre-defined character set from the drop-down list
- Edit the characters in the field after selecting from a set from the drop-down list
The configured token character set is applicable for all token types. If this parameter is left blank, all available alphanumeric characters are used to generate the token.
- Maximum number for characters allowed: 200
Parent topic: Configure API protection