API Protection token management properties
When you configure API Protection for OAuth and OpenID Connect, you must specify properties for token management.
The local management interface (LMI) page OpenID Conect and API Protection has a section that prompts for settings for token management. Refer to the following list of properties to determine the appropriate value, for your deployment, for each property.
For configuration task instructions, see Creating an API protection definition.
- Access token lifetime (seconds)
- Specifies the number of seconds an access token is valid. When the access token becomes invalid, the client cannot use it to access the protected resource.
- Access token length
- Specifies the number of characters in an access token.
- Enforce single-use authorization grant
- If enabled, all the authorization grant tokens are revoked after an access token is validated. If enabled, resource requests that involve redirects fail because the access token is validated multiple times.
- Authorization code lifetime (seconds)
- Specifies the number of seconds that an authorization code is valid.
- Authorization code length
- Specifies the number of characters in an authorization code.
- Issue refresh token
- Specifies whether a refresh token is sent to the client. A refresh token obtains a new pair of access and refresh tokens. This option is only applicable to the Authorization code and Resource owner password credentials grant types.
- Maximum authorization grant lifetime (seconds)
- Specifies the maximum number of seconds that the resource owner authorizes the client to access the protected resource.
- Refresh token length
- Specifies the number of characters in a refresh token. This option is available only if you enable the Issue refresh token option.
- Enforce single access token per authorization grant
- If enabled, all previously granted access tokens are revoked after a new access token is generated presenting the refresh token to the authorization server.
- Enable multiple refresh tokens for fault tolerance
-
Specifies how refresh tokens are handled. When this option is enabled, and a refresh request is made, the initially-used refresh token remains active (assuming it was initially active), even after a successful refresh request is made and a new token pair (access token and refresh token) is returned. Only upon the subsequent use of the new access token or new refresh token will the initially presented refresh token be invalidated. If the initially used refresh token is presented again, the tokens issued on the first refresh request (Pair 1) are revoked, and another token pair (access token and refresh token) is issued. This new pair (Pair 2) is valid, and Pair 1 is invalid.
- Enable PIN policy
- Provides more protection during the exchange of a refresh token fro a new pair of access and refresh tokens.
- PIN Length
- Specifies the number of characters in a PIN. This option is available only if you enable the Enable PIN policy option. You can use the runtime.hashAlgorithm runtime parameter to configure the algorithm that is used to hash the PIN before it is stored. For more information, see Advanced configuration properties.
- Token character set
- By default, a set of alphanumeric characters is displayed. You can specify the set of characters
used to generate tokens in the following methods:
- Manually enter characters
- Select from a pre-defined character set from the drop-down list
- Edit the characters in the field after selecting from a set from the drop-down list