Limit the number of refresh tokens in apigee (gran...

santhoshbv2007 · 09-28-2021 04:32 AM

Hi,

I would like to know is there a way we can limit the number of refresh token generation in apigee oauth v2 policy, if out of the box solution is not available , please let me know how can this be achieved in apigee.

Note: Reusetoken will be set to "false", so each time when we use refreshtoken we get a new pair of refresh & accesstoken and the old tokens will be become invalid.

Refresh_count gives the number of times the same refresh token is used , hence this variable is of no use to my case.

dchiesa1

Can you try something like this? Use the SetOAuthV2Info policy to set and update a custom attribute on the refresh_token (named rcount maybe?) after each successful refresh. You will need to have read the rcount from the prior generation of the token. Maybe via GetOAuthV2Info, prior to calling OAuthV2/RefreshAccessToken .

The result is, rather than simply using OAuthV2/RefreshAccessToken, you will have five steps:

GetOAuthV2Info on refresh_token
JavaScript step to compute rcount+1
RaiseFault wrapped in a Condition, testing the incremented rcount against your preferred limit (say, 10 refreshes)
OAuthV2/RefreshAccessToken
SetOAuthV2Info with the new rcount

santhoshbv2007

thankyou dchiesa, for the suggestion will try out.

API-Evangelist

General question.

Is it new implementation? If yes, please move away from password grant type.

https://oauth.net/2.1/

Limit the number of refresh tokens in apigee (grant_type:Password)