What is the default expiration time or TTL of Refresh Token for SAML Machine User

Hi,

In the SAML Machine User Documentation,

ref: https://docs.apigee.com/api-platform/system-administration/automating-tasks

its mentioned we can use the refresh_token to generate new access token. But could not find the validity time/TTL of refresh_token.

From Token response, i could not find the access token TTL but not refresh token TTL.

Can you please provide the default expiration period of refresh token ?

If its configurable at org level by admin, can you please provide navigation flow to view/edit?

Much appreciated your help.

Solved Solved
0 1 1,088
1 ACCEPTED SOLUTION

I don't think the expiry of the refresh token is documented.

The access token and refresh token are both JWT, and they include issued-at and expiry times in the claims. Therefore you can directly inspect the "iat" and "exp" claims for yourself to determine the lifetime of the refresh token .

In my case the token is good for 30 days.

$ jwthp "eyJhbGc....uHt2wnFUY9ZbQ"<br>
{
  "alg": "RS256"
}
{
  "jti": "483a74d1-64c6-43ba-93e2-a6c883c47fe3-r",
  "sub": "eeeeed72-aaaa-bbbb-cc-777788889999b3",
  "scope": [
    "scim.emails.read",
    "scim.me",
    "openid",
    "password.write",
    "approvals.me",
    "scim.ids.read",
    "oauth.approvals"
  ],
  "iat": 1559671469,
  "exp": 1562263469,
  "cid": "edgecli",
  "client_id": "edgecli",
  "iss": "https://login.apigee.com",
  "zid": "uaa",
  "grant_type": "password",
  "user_name": "dchiesa@google.com",
  "origin": "usergrid",
  "user_id": "eeeeed72-aaaa-bbbb-cc-777788889999b3",
  "al": 0,
  "aud": [
    "edgecli",
    "scim.emails",
    "scim",
    "openid",
    "password",
    "approvals",
    "scim.ids",
    "oauth"
  ],
  "iatStr": "2019-06-04T18:04:29Z",
  "expStr": "2019-07-04T18:04:29Z"
}

BTW, that "jwthp" thing is an alias for bash that decodes (but does not verify) a JWT, obtained from here.

View solution in original post

1 REPLY 1

I don't think the expiry of the refresh token is documented.

The access token and refresh token are both JWT, and they include issued-at and expiry times in the claims. Therefore you can directly inspect the "iat" and "exp" claims for yourself to determine the lifetime of the refresh token .

In my case the token is good for 30 days.

$ jwthp "eyJhbGc....uHt2wnFUY9ZbQ"<br>
{
  "alg": "RS256"
}
{
  "jti": "483a74d1-64c6-43ba-93e2-a6c883c47fe3-r",
  "sub": "eeeeed72-aaaa-bbbb-cc-777788889999b3",
  "scope": [
    "scim.emails.read",
    "scim.me",
    "openid",
    "password.write",
    "approvals.me",
    "scim.ids.read",
    "oauth.approvals"
  ],
  "iat": 1559671469,
  "exp": 1562263469,
  "cid": "edgecli",
  "client_id": "edgecli",
  "iss": "https://login.apigee.com",
  "zid": "uaa",
  "grant_type": "password",
  "user_name": "dchiesa@google.com",
  "origin": "usergrid",
  "user_id": "eeeeed72-aaaa-bbbb-cc-777788889999b3",
  "al": 0,
  "aud": [
    "edgecli",
    "scim.emails",
    "scim",
    "openid",
    "password",
    "approvals",
    "scim.ids",
    "oauth"
  ],
  "iatStr": "2019-06-04T18:04:29Z",
  "expStr": "2019-07-04T18:04:29Z"
}

BTW, that "jwthp" thing is an alias for bash that decodes (but does not verify) a JWT, obtained from here.