Is it possible to have multiple valid access tokens with the same client credentials?

Question

I have an API set with OAuth2 authentication. A client has subscribe to my API using WSO2. We don't use refresh tokens. All access tokens expire in 1 hour.

What happens if my client requests 2 access tokens with the same client credentials? Will the first token be revoked or will both tokens live 1 hour?

Answer 1

According to WSO2 docs, you can't have more than one access token. What you can do instead is changing the token expiration time to longer than one hour.

In WSO2 API-M the access token must be unique for the following combinations - CONSUMER_KEY, AUTHZ_USER, USER_TYPE, TOKEN_STATE, TOKEN_STATE_ID and TOKEN_SCOPE. The latter mentioned constraint is defined in the IDN_OAUTH2_ACCESS_TOKEN table. Therefore, it is not possible to have more than one Access Token for any of the above combinations.

Answer 2

When you request a token with client credentials, it will give an access token which is valid for 1 hour. If you again request a token from the token API within that 1 hour period, then it will give the same token. Basically, if there is a valid token, then it will return that. This is the default behavior.

But if you are using the API Store and click on token re-generation, then it will first revoke the token and get you a new access token.

If you want to get two different access tokens for the same client credentials at the same time, then you can use a scope. When there are different scopes in the token request, it will return two different access tokens.