Is there a lifetime to the authorization code created by OAuthV2 policy?

If I use the authorization_code operation in an OAuth2 policy, is there a TTL associated with the authorization code that is returned? If so, is there a way to modify the TTL to a specified value? If not, is there an issued_at parameter that can be used to simulate a TTL during the exchange for the auth token?

Solved Solved
0 3 402
1 ACCEPTED SOLUTION

Not applicable

@Paul Williams,

There is TTL associated with authorization code. Tag 'ExpiresIn' can be used to specify a value.

View solution in original post

3 REPLIES 3

Not applicable

@Paul Williams,

There is TTL associated with authorization code. Tag 'ExpiresIn' can be used to specify a value.

Hmmm, I don't think there is a default lifetime documented. That's puzzling, isn't it? I think it's safe to assume "no expiry" if you don't set one.

The way to set the time-to-live on the code is with the ExpiresIn element:

<OAuthV2 name="GenerateAuthorizationCode">
  <Operation>GenerateAuthorizationCode</Operation>
    <!--
    ExpiresIn, in milliseconds. The ref is optional. The explicitly specified
    value is the default, when the variable reference cannot be resolved.
        60000 = 1 minute
       120000 = 2 minutes
    -->
  <ExpiresIn>60000</ExpiresIn>
  <GenerateResponse enabled="true"/>
</OAuthV2>

I'll ask the team to amend the doc so that the sample policy configuration for this policy includes the ExpiresIn element.

Any update to the docs?