Refresh token expiration - SSO
Refresh Token Expiration Policy
Expiration of refresh tokens can be configured by creating an expiration policy with an expiration time, either with Management UI or SSO API.
The expiration policy determines whether the refresh token’s lifespan is counted from the creation time or from the authentication time.
Correction from: was this was incorrectly stated previously as: “it was last used.”
Creation time for a refresh token:
when the refresh token was first issued
can be determined from the
iatclaim in the introspection response.
Authentication time for a refresh token:
when the owner of the refresh token was last authenticated with a token request (such as by using authorization code grant)
can be determined from the
auth_timeclaim in the introspection response.
The expiration time specifies how long the refresh token remains valid, according to the selected expiration policy.
The policy types are as follows:
none – the default; there is no policy, which means refresh token never expire, they can only be revoked manually
fixed – refresh tokens are valid for a specified time after the creation time
dynamic – refresh tokens are valid for a specified time after the authentication time
Correction from: was this was incorrectly stated previously as: “last login time”.
Changes in each Refresh Token Policy will affect only the refresh tokens that are connected to that policy.
Changing the policy type from fixed to dynamic or vice-versa can invalidate currently existing tokens. Similarly, shortening the expiration time may cause the tokens to become expired.
Configuring the Refresh Token Policy in Management UI
Go to the site you want to create the Refresh Token Policy to.
Click Mappings tab.
Click Create new mapping.
Fill in the name, and choose OAuth Refresh Token in the NameID Format field.
Click Ok.
Creation of a Refresh Token Policy.In the Mappings tab of the newly created refresh token policy, you can configure the expiration in the Refresh Token Expiration Policy section.
Choose the desired policy type and expiration time.Configuration of policy type and expiration time for a Refresh Token Policy.Link this refresh token mapping to applications, by clicking Applications tab.
Click Add… and choose the desired application.
Click Ok.Linking an Application to a Refresh Token Policy.With this configuration, any refresh token issued for this application will be valid according to the specified refresh token policy.
Configuring the Refresh Token Policy with SSO API
Create a refresh token policy by calling the
refreshTokenPolicyendpoint on the site you wish to create it on.
The expiration policy type and time are configured through theconfigurationparameter:configuration=expirationPolicy fixed configuration=expirationTime 10Example request:
PUT /sso-api/refreshTokenPolicy/System/refreshTokenPolicyAPI Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Bearer ... name=refreshTokenPolicyAPI&configuration=expirationPolicy%20fixed&configuration=expirationTime%2010Example response:
{ "type": "refreshTokenPolicy", "id": "/refreshTokenPolicy/System/refreshTokenPolicyAPI", "attributes": { "name": "refreshTokenPolicyAPI", "configuration": [ "expirationTime 10", "expirationPolicy fixed" ] } }Link the policy to an application.
Example request:PUT /sso-api/refreshTokenPolicy/System/refreshTokenPolicyAPI/$link/application/System/SampleApp Accept: application/json Authorization: Bearer ...Example response:
{ "type": "refreshTokenPolicy", "id": "/refreshTokenPolicy/System/refreshTokenPolicyAPI", "objects": [ { "type": "application", "id": "/application/System/SampleApp", "link": "application" } ] }With this configuration any refresh token issued for this application will be valid according to the specified refresh token policy.
See Management API - SSO for more information.
Refresh Token Introspection
Information about a refresh token can be obtained by using the introspection endpoint /uas/oauth2/introspection.
Example request:
POST /uas/oauth2/introspection?token=u9JP_bag8IDW_PPNfsP6yAvdIsHG60ZVFKVny4aN-OI
Content-Type: application/x-www-form-urlencoded
Authorization: Basic ...
grant_type=password&scope=openid%20d2e4921a-778d-4a87-ba7f-bd24d8dd584d&client_id=d2e4921a-778d-4a87-ba7f-bd24d8dd584d&client_secret=***&username=system&password=***Example response for a valid refresh token:
{
"token_type": "refresh_token",
"active": true,
"sub": "cn=Administrator,ou=System,cn=Ubilogin,dc=test",
"iss": "sso.example.com/uas",
"client_id": "abc",
"scope": "openid",
"iat": 1755178556,
"auth_time": 1755178556,
"exp": 1755178616
}The exp claims represents the expiration time according to the specified policy:
for
fixedpolicy it is calculated from issue time:iat+ expiration timefor
dynamicpolicy it is calculated from last logon time:auth_time+ expiration time
If the expiration time has already passed, the refresh token will be invalidated and removed from the database.
Example response for an invalid, expired or removed token:
{
"active": false
}See Authorization code grant and native applications - SSO for more information about introspection.
Refresh Token Cleaner Service
Expired tokens are only removed if they are invalid upon introspection call.
Otherwise, there is a scheduled cleaner service that can be configured to run periodically to clean the database from expired tokens.
By default the service is set to run every day at 01.00. This setting can be changed by adding a com.ubisecure.ubilogin.uas.refresh-token.cleaner.scheduling property to uas.properties.
For example:
# Cleaning of expired refresh tokens is scheduled to be performed every night at 01:00.
com.ubisecure.ubilogin.uas.refresh-token.cleaner.scheduling = 0 0 1 * * ?
Refresh Token Cleanup Lock
Additionally to the cleaning service, a cleanup lock can be configured, which prevents two or more SSO nodes from performing the cleanup at the same time.
The configuration parameters for the cleanup lock are:
cleanupLockEnabledIf set to
true, SSO checks that it is able to obtain a lock before performing the refresh token cleanup.If set to
false, SSO doesn’t check for a lock before performing the refresh token cleanup.Default:
false
cleanupLockCheckWaitThe time (in seconds) how long an SSO node waits before starting refresh token cleanup to check if it was able to obtain lock successfully. This is to control the race condition of two or more nodes from trying to obtain the lock at same time.
Default:
10
cleanupLockTimeoutThe time (in seconds) after which a lock can be forcefully released and given to another SSO node. That’s to mitigate the possibility that a lock is left active in case of an unexpected error by allowing active SSO nodes to obtain a lock even if one already exists, provided that the age of the existing lock is older than the value specified for this parameter.
Default:
600
To enable the cleanup lock or change its settings, modify the desired refresh token policy with the configuration parameter:
PUT /sso-api/refreshTokenPolicy/System/refreshTokenPolicyAPI
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer ...
name=refreshTokenPolicyAPI&configuration=cleanupLockEnabled%20true&configuration=cleanupLockCheckWait%2020&configuration=cleanupLockTimeout%20450&configuration=expirationPolicy%20fixed&configuration=expirationTime%2010Example response:
{
"type": "refreshTokenPolicy",
"id": "/refreshTokenPolicy/System/refreshTokenPolicyAPI",
"attributes": {
"name": "refreshTokenPolicy",
"configuration": [
"expirationTime 10",
"cleanupLockTimeout 450",
"cleanupLockCheckWait 20",
"expirationPolicy fixed",
"cleanupLockEnabled true"
]
}
}Remember that while the lock is configured per refresh token policy, the cleanup service will run periodically for all existing refresh token policies.