Configuring refresh token storage and expiration

You can change the expiration time of refresh tokens, and in a scaled-out or Cloud-based setup, you must encrypt your refresh tokens and store them client-side.

Procedure

  1. Access a server on which an instance of the Discovery Service runs, and access its configuration location.
  2. Open the configuration file cd_ambient_conf.xml for viewing.
    The file contains the following elements:
    <TokenExpireTime TimeInSeconds="${accesstokenexpire:-300}" />
    <RefreshTokenExpireTime TimeInSeconds="${refreshtokenexpire:-3600}" />
  3. Ensure that the two TimeInSeconds attributes in these elements are resolved as follows when you run your script:
    • Set the TimeInSeconds attribute of the TokenExpireTime element to the desired expiration time, in seconds, for access tokens.
    • Set the TimeInSeconds attribute of the RefreshTokenExpireTime element to the desired expiration time, in seconds, for access tokens.
  4. By default, the Discovery Service stores refresh tokens server-side in service memory. If you are running a Cloud-based setup, or if you are running multiple Discovery Service instances, you must store the refresh tokens, encrypted, client-side. To do so, in the file application.properties, set the value of the oauth.storage.type property to json.
  5. Repeat the steps above for every other server on which a Discovery Service instance runs.