LinkedIn
Copied!

Table of Contents

Enhanced refresh token strategy

You now have more precise control over your refresh token expiration strategy. When an OAuth 2.0 client application requests a new access token using the refresh token grant type, the Pega Platform response includes the new access token as well as the refresh token. In the Token Management section, you choose the refresh token issuance mechanism and the expiration of various tokens issued by Pega Platform.

Supporting grant types

The new access token expiry time is set to the value provided in Access token lifetime (in seconds).

Token Management

The Token Management section lets you choose the refresh token issuance mechanism.

In the Token Management section, the Token issuance setting for the Refresh token setting has three options from which you can choose. These are described in the following table:

Token Issuance Method Behavior
Issue once and keep until expiry Each time a new access token is requested using the Refresh token grant type, Pega Platform issues the same refresh token, with the expiry time updated to the remaining token lifetime using the value provided in Refresh token lifetime (in seconds).
Issue a new refresh token without changing expiry Each time a new access token is requested using the Refresh token grant type, Pega Platform issues a new refresh token, with the expiry time updated to the remaining token lifetime using the value provided in Refresh token lifetime (in seconds).
Issue a new refresh token and reset expiry Each time a new access token is requested using the Refresh token grant type, Pega Platform issues a new refresh token, with the expiry time reset to the value provided in Refresh token lifetime (in seconds).

Identity Provider (IdP) session bounded refresh tokens

When refresh tokens are used in combination with the authorization code grant type and single sign on (SSO), using Pega Authentication services, you can choose to set the refresh token expiry time as the session timeout value provided by the IDP during SSO.

When Authorization code and Set refresh token expiry from IdP session expiry are selected:

  • The refresh token expiry value is set to the same value as the IdP session expiry.
  • The refresh token lifetime value specified in the Token management section of the rule form is not considered.

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.