My Oracle Support Banner

Refresh Token for APEX Created REST Services Does Not Expire as Documented (Doc ID 2293307.1)

Last updated on FEBRUARY 09, 2023

Applies to:

Oracle REST Data Services - Version 2.0.10 to 18.3
Information in this document applies to any platform.


The "security.oauth.tokenLifetime” parameter in defaults.xml has been changed to modify the expiration time.
When a token is requested it comes back with new expiration time but the refresh token self does not last for 24 times the access token.



The value is specified in seconds, and defaults to 3600 seconds (1 hour) for an access token.
The refresh token is fixed at 24 times the access token duration.

  a. Access token is set to expire at 60 sec, and refresh token supposed to expire 24 times access token that is 24 minutes. but it didn't expire in after 24 minutes.
  b. Access token set to expire in 7 days, so the refresh token should last for 24*7 = 158 days. but it expired before the time limit.

ORDS: 2.0.10
According to <Note 2101190.1> - How to Change the Default Token Expiration and Refresh Token Expiration For ORDS: the expiration for the refresh token is 24  the value of security.oauth.tokenLifetime - for APEX based REST services.

APEX based REST services are not honoring the refresh token expiration time.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.