Oracle Access Manager (OAM) Using An OAUTH Refresh Token To Retrieve ACCESS TOKEN Results In A Hard Coded 15 Minutes Expiry Time
(Doc ID 2737464.1)
Last updated on SEPTEMBER 25, 2023
Applies to:Oracle Access Manager - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
- Oracle Access Manager (OAM)
- Using An OAUTH Refresh Token To Retrieve ACCESS TOKEN Results In A Hard Coded 15 Minutes Expiry Time
- Access token expiry is set at the domain level to be 5 minutes (300 seconds).
- When performing a grant_type=authorization_code call, the access token is returned with an expires in 300 message and the jwt information inside the token has an "iat" and "exp" value that equals 5 minutes (eg exp minus iat = 300).
- When using a refresh token to retrieve a new access token, the Access Token expiry is set to 15 minutes inside the jwt. (i.e exp minus iat = 900).
- This is not a value set by any of our configurations for tokens at the domain level and appears to be hard coded.
- The "expires in" message still indicate 300 however
- As some oauth clients are inspecting these jwt values and using them for expiry and if there is a mismatch, this causes errors with access token expiration
- The Access token expiry should match regardless of whether the request is made via grant_type=authorization_code or grant_type=refresh_token.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document