How to reset refresh_count for refresh token

Report Inappropriate Content · 09-28-2017 01:29 AM

I have a requirement where in i want to reuse refresh token for 3 times and after that i have to generate new refresh token which should be reusable for 3 times. I am able to read refresh_count parameter and generate new refresh_token using generate RefreshAccessToken operation without reuserefreshtoken option. My qauestion is

How to make newly generated token reusable?

even after generating new refreshtoken. refresh_count is not getting reset. it is increasing further though token is dfifferent.

How to reset refresh_count for new token?

ssvaidyanathan · 1431773-oauth-rev1-2017-09-28.zip

HI @Hanamantappa

Welcome to the community !!

To reuse the same refresh token multiple times you need to enable

<ReuseRefreshToken>true</ReuseRefreshToken>

in your OAuth policy that uses RefreshAccessToken operation

Once you do this, when ever the same refresh token is used to generate new access token, it will increment the refresh_count by 1 (assuming the refresh token is still active). With this you can include another Raise fault policy to check the condition and then raise error response accordingly, for example

<Flow name="token - refresh">
            <Request/>
            <Response>
                <!-- Generate Access Token from Refresh Token -->
                <Step>
                    <Name>OAuth2-RefreshToken</Name>
                </Step>
                <!-- Raise Fault if the refresh_count exceeds 3 -->
                <Step>
                    <Name>RF-ExceedsCount</Name>
                    <Condition>oauthv2accesstoken.OAuth2-RefreshToken.refresh_count > 3</Condition>
                </Step>
            </Response>
            <Condition>(proxy.pathsuffix MatchesPath "/token") and (request.formparam.grant_type="refresh_token") and (request.verb = "POST")</Condition>
        </Flow>

I have attached a sample proxy here that supports a password grant type flow. To get it to work, please import this bundle to your org and then use a valid client id and secret to run the following curl

curl -X POST \
  https://{org}-{env}.apigee.net/1431773-oauth/token \
  -H 'authorization: Basic {base 64 of clientId:clientSecret}' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d 'grant_type=password&username=test&password=test'

This should give you a refresh_token, use that in the following curl

curl -X POST \
  https://{org}-{env}.apigee.net/1431773-oauth/token \
  -H 'authorization: Basic {base 64 of clientId:clientSecret}' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d 'grant_type=refresh_token&refresh_token={refresh_token}'

You will see that you can run the same curl commands a couple of times to generate new access tokens. During the 4th call, you should see an error message

{
    "message": "Same refresh token used more than the limit"
}

which is what I have made up to send when it exceeds the limit.

NOTE: I have hard-coded the limit to 3 and used that within the condition. You can externalize that limit using KVM or Custom attribute and use that within the condition if you want different limits for different apps

Hope this is useful. Please reach otherwise

1431773-oauth-rev1-2017-09-28.zip

Report Inappropriate Content

Thanks @Sai Saran Vaidyanathan. I am able to do what you mentioned. However my question is once refresh_count is 3. I want to generate new token and that should be reusable for 3 times. I am able to generate new token after refresh_count is 3. But refresh_count for new token is not starting from zero. Is there a way to reset that count when i use different refresh token .

ssvaidyanathan

HI @Hanamantappa - can you confirm what you mean by generate a new token ? referring to a new refresh_token ? If yes, then the answer is yes, for every refresh_token call you get, you will get a unique refresh_token as well. For that call, you can use that newly generated refresh_token and use the same logic. My only request is dont try something that is not mentioned in the RFC

If this answers you question, please accept the post so that it is useful for others