Configuring refresh token storage and expiration

You can change the expiration time of refresh tokens, and in a scaled-out or Cloud-based setup, you must encrypt your refresh tokens and store them client-side.

Procedure

  1. Access a server on which an instance of the Discovery Service runs, and access its configuration location.
  2. By default, the Discovery Service is configured to expire access tokens after 300 seconds, and refresh tokens after 3600 seconds. To override these values, create the following environment variables and set them to the preferred numbers of seconds:
    • Configure an environment variable called accesstokenexpire to set the access token expiration time in seconds.
    • Configure an environment variable called refreshtokenexpire to set the refresh token expiration time in seconds.

    Alternatively, you can hardcode these values in the file cd_ambient_conf.xml, as values for the TimeInSeconds attributes of the TokenExpireTime and RefreshTokenExpireTime elements, respectively.

  3. By default, the Discovery Service stores refresh tokens server-side in service memory. If you are running a Cloud-based setup, or if you are running multiple Discovery Service instances, you must store the refresh tokens, encrypted, client-side. To do so, create an environment variable called oauthstoragetype and set it to the value json. Alternatively, you can hardcode the value in the file application.properties, as the value of the oauth.storage.type property.
  4. Repeat the steps above for every other server on which a Discovery Service instance runs.