Reputation: 61
Wso2 token expires
Wso2 Identity Server v 5.1.0, with integrated LDAP disabled and using Readonly LDAP for authentication
when authenticating user with wso2 IS using /oauth2/token API, initially wso2 returns output as following
{
"access_token": "fa738bd8c50d4506cf2c3566ed86adb8",
"refresh_token": "9b2d346cc05f827f4cab99bc9c90401a",
"scope": "openid",
"token_type": "Bearer",
"expires_in": 3600
}
when accessing API again in 1 seconds it provides expires as '3300',
So my question is why 300 deducted everytime when accessing API for first time ?
Upvotes: 1
Views: 2283
Answers (3)
Reputation: 4178
From WSO2 docs:
Configuring the token expiration time
User access tokens have a fixed expiration time, which is set to 60 minutes by default. Before deploying the API Manager to users, extend the default expiration time by editing the <AccessTokenDefaultValidityPeriod> element in <PRODUCT_HOME>/repository/conf/identity.xml.
Also take the time stamp skew into account when configuring the expiration time. The time stamp skew is used to manage small time gaps in the system clocks of different servers. For example, let's say you have two Key Managers and you generate a token from the first one and authenticate with the other. If the second server's clock runs 300 seconds ahead, you can configure a 300s time stamp skew in the first server. When the first Key Manager generates a token (e.g., with the default life span, which is 3600 seconds), the time stamp skew is deducted from the token's life span. The new life span is 3300 seconds and the first server calls the second server after 3200 seconds.
You configure the time stamp skew using the <TimestampSkew> element in <PRODUCT_HOME>/repository/conf/identity.xml.
Tip: Ideally, the time stamp skew should not be larger than the token's life span. We recommend you to set it to zero if the nodes in your cluster are synchronized. Also, note that when the API Gateway cache is enabled (it is enabled by default), even after a token expires, it will still be available in the cache for consumers until the cache expires in approximately 15 minutes.
Upvotes: 1
Reputation: 111
given that i understand your query, try
changing the value of <TimestampSkew>300</TimestampSkew> found in IS_HOME\repository\conf\identity\identity.xml to <TimestampSkew>0</TimestampSkew>
Upvotes: 0
Reputation: 799
Please check the value of identity.xml
<OAuth> --> <TimestampSkew>300</TimestampSkew>
by default value is 300. When calculating expiry time reduce time stamp skew also to put client in safe side (network delays...etc). You can change the value as required.
Upvotes: 1
Related Questions
- WSO2 API Manager and WSO2 key manager: user roles are not validated
- WSO2 Access token revoking automatically without explicit request
- WSO2: APIM scope apim:subscribe can be added to WSO2 Identity Server
- WSO2 APIM access_token generation with default scope
- Microsoft cloud health api not returning refresh token next time
- eloqua Oauth 2.0 submit forms
- Uppercase username does not play nice with API Manager using curl
- expires_in value in answer wso2 api manager to authorize request