Token Expiry after 15 minutes using WSO2 Identity Server

Question

I have created a token by using the following API Call

https://wso2identityseverip:port/oauth2/token

I used generated token in my API by postman which is giving an accurate response. But after 15 min of idle state when I use the same token in the API it is giving me an error.

{
"code": "900901",
"message": "Invalid Credentials",
"description": "Access failure for API: /url/1.0.0, version: 1.0.0 status: (900901) - Invalid Credentials. Make sure you have provided the correct security credentials"}

Requirement:

Token should expire after an hour. For this I have also added following configurations in my deployment.toml.

[session.timeout]  idle_session_timeout= "60m" remember_me_session_timeout= "14d" extend_remember_me_session_timeout_on_auth=false

But still token is expiring in 15 min.

Answer 1

The token expiry time is an application-wise config, and the default oauth token timeout is set to 3600 s(1h). If you haven't changed this to 15m, see the following.

If you are experiencing an issue of the invalid token after session time out, it would happen if your application has enabled SSO Session Based access token binding. Also, you have configured to revoke access token at session expiry (this is by default enabled in WSO2IS-5.11.0 onwards https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#revoke-access-tokens-on-logoutsession-expiry).

Regarding session time-out configs:

The idle session time-out configs that you added as follows,

[session.timeout]  
idle_session_timeout= "60m"
remember_me_session_timeout= "14d"

are only affected to each tenant that is created after adding the configuration. (Note the note in the green color box https://is.docs.wso2.com/en/5.11.0/learn/configuring-session-timeout/?query=idle_session_timeout#configuration)

In order to change the configs of the already created tenant or carbon.super tenant, you have to log into tenant via the management console, navigate to main tab -> Identity Providers -> Resident, and change the configs there.

Since the error code (code: 900901) is coming from the APIM side, these answers would also help you to troubleshoot Refer:

• https://stackoverflow.com/a/45173578/10055162
• https://stackoverflow.com/a/55137885/10055162

Answer 2

I have tried this with latest IS 6.0.0.

You can change the following.

1. Default validity period for application access tokens
2. Default validity period for user access tokens

To do you can add the following to the deployment toml (change the values as per your wish).

[oauth.token_validation]
app_access_token_validity=1800
user_access_token_validity=1800

In the latest IS, the default expiry is 3600 seconds (1hr). But in your case it seems it isn't the case. Adding the above config will update the config files but it will not update your already created SP configs. The config change will take an effect from the next SP creation onwards. To update already created SPs, you have to do it from the carbon console Service Provider settings.

When you do this, make sure to change the refresh token validity period as well.