What's the process for renewing bearer tokens when they expire?

Not applicable

If the token expires and the client gives you a 401 .. What's the process for renewal? Is it possible to renew via query to the agent directly? Or do you have to rerun the process for genenration on the commandline?

0 9 3,571
9 REPLIES 9

Not applicable

Hi @Geir Sjurseth

When a token is issues, you would get expires_in value in no.of seconds. You can use this value to decide to request for a new token or not. Renewing the same token wouldn't be feasible once issues with certain expiry time.

"token_type": "BearerToken", "expires_in": "3599",

For more info, can you let me know the Oauth grant type you are implementing.

Thanks, Seshi

Hi @seshi,

So when I fetch the token using the command line like so:

./edgemicro token get -o geirsjurseth -e test -i <client_id> -s <client_secret>

I don't see an expiry. In fact, if I take that resulting token and check it on jwt.io it decrypts part of it, but then tells me it's invalid (not sure whether that's relevant). But even if I do... How do I rewnew with edgemicro? Is there an endpoint for doing that on the agent? Or would I need to rerun the commandline. When I looked in the code I could see that it was ultimately connecting to cloud on config[authUri]/token to get the info... That authUri, I assume, is coming from the default.yaml.

Is there another way?

/geir

Thanks for clarifying. @Prabhat Jha can you please provide your inputs.

Not applicable

Hi Geir,

In the course of an app, you wouldn't use a command line to generate your tokens. Instead, generally the client app would retrieve a token from the server via HTTP calls to the token endpoint to request a token which it would use until that token needs to be renewed.

In general, this is accomplished by POSTing a request to an URL similar to this:

https: //{your_org}-{your_env}.apigee.net/{your-proxy-name}/token

With a JSON body like this:

{
  "client_id": {your_id},
  "client_secret": {your_secret},
  "grant_type": "client_credentials"
}

Scott

Hi @Scott Ganyo,

Your example is precisely what I saw locally configured in default.yaml ... But that url-structure looks to point to the cloud and not to the locally running agent. Can we do the same on the locally running agent?

Thanks,

/geir

The Microgateway doesn't expose its own endpoints, it's entirely a proxy for your APIs.

Hi @Scott Ganyo,

Yes, I tested hitting my jwt-proxy's endpoint under resource: token and it works fine. Are there any plans to expose that service on the agent as well? I'm thinking there may be usecases where the reason we're in a edgemicro scenario is because we don't want clients connecting back to the cloud to renew tokens.

Is the process otherwise to just keep using it until your app receives a 401 and then renew?

Thanks,

/geir

Sorry, I can't speak to the future plans. Perhaps someone who can is reading this or you can ask support directly.

As for token renewal, I'm fairly certain that the token you receive has the expiration information encoded as an "exp" claim that you could use to calculate when to renew prior to expiration so you wouldn't have to wait until you get an error.

Not applicable

One of the reasons you get to deploy JWT app to your org is so that you can modify it to have your own expiryTime or your own credentials verification. Currently it does not have functionality to refresh token.

What would be advantage of exposing JWT end point through EdgeMicro other than one less URL that client has to know about?