Refresh Token for APEX Created REST Services Does Not Expire as Documented

(Doc ID 2293307.1)

Last updated on AUGUST 02, 2017

Applies to:

Oracle REST Data Services - Version 2.0.10 and later
Information in this document applies to any platform.

Symptoms

The "security.oauth.tokenLifetime” parameter in defaults.xml has been changed to modify the expiration time.
When a token is requested it comes back with new expiration time but the refresh token self does not last for 24 times the access token.


https://10.12.99.112:8181/ords/lisrest/oauth2/token

3600

The value is specified in seconds, and defaults to 3600 seconds (1 hour) for an access token.
The refresh token is fixed at 24 times the access token duration.

  a. Access token is set to expire at 60 sec, and refresh token supposed to expire 24 times access token that is 24 minutes. but it didn't expire in after 24 minutes.
  b. Access token set to expire in 7 days, so the refresh token should last for 24*7 = 158 days. but it expired before the time limit.

Configuration
_____________
ORDS: 2.0.10
 
According to <Note 2101190.1> - How to Change the Default Token Expiration and Refresh Token Expiration For ORDS: the expiration for the refresh token is 24  the value of security.oauth.tokenLifetime - for APEX based REST services.

APEX based REST services are not honoring the refresh token expiration time.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms