Playing with Access (OAuth) Token for WSO2 API Manager or WSO2 IS

This post will be helpful for you, if you would like to know:

  1. How to set “access token” expiry token interval for any individual API ?
  2. How to set “refresh token” expiry token interval for any individual API ?
  3. How to define customized token?

Environment Used: API Manager 1.10.0 with WSO2 Identity Server 5.1.0

WSO2 API Manager (or Identity Server) provides “access token”, alternatively we can say that “Bearer Token”,  associated with each application for OAuth based authentication.

This token can be generated by two ways:

  1. API Store (Using GUI)
  2. API invocation

With option 1, we can generate access token with required expiry time but it is not possible with option 2 and by default it is set to 1 Hour.

However, WSO2 provides option to change this expiry time by doing configuration changes in <WSO2-HOME>/repository/conf/identity/identity.xml file.

<AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod>
<RefreshTokenValidityPeriod>36000</RefreshTokenValidityPeriod>

[There are some other properties as well]

But these values will be applicable on all applications – Can’t set different expiry time intervals  for each application.

If you would like to control expiry intervals individually for each application then you can easily do this by updating few values in “[IDN_OAUTH2_ACCESS_TOKEN]” table in associated database directly. You can also create an API to interact with this table. This API can be a secure API to make sure only authenticated/authorized users can use this API.

[IDN_OAUTH2_ACCESS_TOKEN] table has below listed parameters:

  • [TOKEN_ID],
  • [ACCESS_TOKEN],
  • [REFRESH_TOKEN],
  • [CONSUMER_KEY_ID],
  • [AUTHZ_USER],
  • [TENANT_ID],
  • [USER_DOMAIN],
  • [USER_TYPE],
  • [GRANT_TYPE],
  • [TIME_CREATED],
  • [REFRESH_TOKEN_TIME_CREATED],
  • [VALIDITY_PERIOD],
  • [REFRESH_TOKEN_VALIDITY_PERIOD],
  • [TOKEN_SCOPE_HASH],
  • [TOKEN_STATE],
  • [TOKEN_STATE_ID],
  • [SUBJECT_IDENTIFIER]

Examples:

1 . Set expiry time interval to indefinite for access token “fc5ba3057b40168b8aa7a4615bc7f815”

UPDATE [IDN_OAUTH2_ACCESS_TOKEN]
SET [VALIDITY_PERIOD] = -2000, TOKEN_STATE = ‘ACTIVE’, TOKEN_STATE_ID = ‘NONE’
WHERE  ACCESS_TOKEN = ‘fc5ba3057b40168b8aa7a4615bc7f815’

Note: When you set expiry time to “-1” while generating access_token from API Store GUI it sets value to -2000 in database. I have tried with setting value to “-1” –  it works for me, presumeably, it works for any negative value – please give a try with other values if you like.

2. Set customized access token: It can help you to type out and remember your access token instead of copying it from GUI.

UPDATE [IDN_OAUTH2_ACCESS_TOKEN]
SET ACCESS_TOKEN = ‘access-token-for-bhajan’, [VALIDITY_PERIOD] = -2000, TOKEN_STATE = ‘ACTIVE’, TOKEN_STATE_ID = ‘NONE’,
where TOKEN_ID =’6713d9b0-41dc-4416-9157-ac84600c0820′;

Note: You can use token_id or access_token (or any other parameter) in the where clause that helps to filter out any record uniquely in the database.

You make not see any difference after updating record, please wait for few mins and hit request again –  it should work as expected. Sometimes, it happens when we update value and hit request instantly, it doesn’t work – I am not sure, but it might be due to some sort of caching.

Leave a comment