Skip to content

Issuing New Tokens Per Request

When there are multiple token requests from a combination of the same clientid, user and scopes, the same access token and refresh token are returned for all the token requests until the token expires.

This feature issues a new access token and refresh token for each token request after revoking the existing active token.

Try it out

Add the following configuration to the deployment.toml file in <is_home>/repository/conf/ to enable issuing a new token per request .

[oauth.token_renewal] 
renew_access_token_per_request = true

Note

If the OAuthTokenGenerator extension point is used, it overrides the value of renew_access_token_per_request . Here, the code level changes take precedence over our configuration change. Hence, this configuration will not affect the flow of self-contained access tokens, which by default renew access tokens for every request. This will not affect the flow of the refresh token grant type either, which renews the access token by default, and the refresh token depending on the renew_access_token_per_request configuration in the deployment.toml file.

Test it out

After enabling the feature, create an OAuth application in the identity server and obtain its Client ID and Client Secret. Now we can generate the tokens by mentioning the password grant type in the cURL command given below.

curl -v -X POST -H "Authorization: Basic <base64encoded clientId:clientSecrect>" -k -d "grant_type=password&username=admin&password=admin&scope=somescope" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token

When you call the above URL for the second time, a new token is generated. As long as it's the same clientID, user, and scopes, a new token is generated regardless of which grant type you use in the second call.

Given below are the responses to the first and the second requests.

{
"access_token": "ed074839-7efc-3c07-a5a0-a06382eba5ac",
"refresh_token": "faecb739-b065-305e-8233-fa2e9d94c10e",
"scope": "somescope",
"token_type": "Bearer",
"expires_in": 3600
}
{
"access_token": "1f00293e-278e-3326-89e3-eef2fcbf8b6b",
"refresh_token": "c9deea6f-a440-35bf-8fac-e0a6043df2b1",
"scope": "somescope",
"token_type": "Bearer",
"expires_in": 3600
}

You can also introspect the old access token using the following cURL command. You can see that it is inactive now.

curl -k -u admin:admin -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<access token from 1st token API call>'https://localhost:9443/oauth2/introspect
{'active':false}
Top