Refresh access token

Overview

The OAuth 2.0 Refresh Access Token filter enables an OAuth client to get a new access token using a refresh token. This filter supports the OAuth 2.0 Refresh Token flow. After the client consumer has been authorized for access, they can use a refresh token to get a new access token (session ID). This is only done after the consumer already has received an access token using either the Web Server or User-Agent flow. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.

Application validation settings

Configure the following fields on this tab:

Find client application information from message:

Select one of the following:

  • In Authorization Header:

    This is the default setting.

  • In Query String:

    The Client Id defaults to client_id, and Client Secret defaults to client_secret.

Access token settings

Configure the following fields on this tab:

Access Token will be stored here:

Click the browse button to select where to cache the access token (for example, in the default OAuth Access Token Store). To add an access token store, right-click Access Token Stores, and select Add Access Token Store. You can store tokens in a cache, in a relational database, or in an embedded Cassandra database. For more details, see the section called “Manage access tokens and authorization codes”.

Access Token Expiry (in secs):

Enter the number of seconds before the access token expires. Defaults to 3600 (one hour).

Access Token Length:

Enter the number of characters in the access token. Defaults to 54.

Access Token Type:

Enter the access token type. This provides the client with information required to use the access token to make a protected resource request. The client cannot use an access token if it does not understand the token type. Defaults to Bearer.

Refresh Token Details:

Select one of the following options:

  • Generate a new refresh token:

    Select this option to generate a new access token and refresh token pair. The old refresh token passed in the request is removed. This option is selected by default.

    Enter the number of seconds before the refresh token expires in the Refresh Token Expiry (in secs) field, and enter the number of characters in the refresh token in the Refresh Token Length field. The expiry defaults to 43200 (12 hours), and the length defaults to 46.

  • Do not generate a refresh token:

    Select this option to generate a new access token only. The old refresh token passed in the request is removed.

  • Preserve the existing refresh token:

    Select this option to generate a new access token and preserve the existing refresh token. The refresh token passed in the request is sent back with the access token response.

Store additional meta data with the access token which can subsequently be retrieved:

Click Add to store additional access token parameters, and enter the Name and Value in the dialog (for example, Department and Engineering).

Monitoring settings

The settings on this tab configure service-level monitoring options such as whether to store usage metrics data to a database. This information can be used by the web-based API Gateway Manager tool to display service use, and by the API Gateway Analytics tool to produce reports on how the service is used. For details on the fields on this tab, see the section called “Monitoring settings” in Get access token information.