Removing Unused Tokens from the Database¶
As you use the WSO2 Identity Server (WSO2 IS), the number of revoked, inactive and expired tokens accumulates in the IDN_OAUTH2_ACCESS_TOKEN table. These tokens are kept in the database for logging and audit purposes, but they can have a negative impact on the server's performance over time. Therefore, it is recommended to clean them periodically in order to enhance the token lookup and to avoid a growing access token table.
You can use one of the following methods for token cleanup.
Note
We recommend using stored procedures instead of using the cleanup task that is available in WSO2 Identity Server by default.
Using stored procedures for token cleanup¶
You can use the provided stored procedures to run a token cleanup task periodically to remove the old and invalid tokens. Follow the instructions below to configure token cleanup using this method.
Tip
It is safe to run these steps in read-only mode or during a time when traffic on the server is low but that is not mandatory.
-
Disable the internal token cleanup process by configuring the following property in the
deployment.toml
file found in the<IS_HOME>/repository/conf
folder.[oauth.token_cleanup] enable = false
-
Select the token cleanup script that is relevant to your database type from the list given below and run it on your database. This takes a backup of the necessary tables, turns off SQL updates, and cleans the database of unused tokens.
-
Once the cleanup is over, start WSO2 Identity Server by pointing to the cleaned-up database. You can also schedule a cleanup task that will be automatically run after a given period of time.
Configuring WSO2 Identity Server for token cleanup¶
Alternatively, you can also use WSO2 Identity Server, which triggers token cleanup during the following instances.
- New token generation
- Token refresh
- Token revocation
Enable token cleanup by configuring the following properties in the deployment.toml
file found in the <IS_HOME>/repository/conf
folder.
[oauth.token_cleanup]
enable = true
retain_access_tokens_for_auditing = true
Property | Description |
---|---|
enable |
Set this property to Set it to |
retain_access_tokens_for_auditing |
Set this property to Set it to |