This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Disable refresh_token attribute(s) in refresh_token grant type

Posted on 04-12-2017 08:14 AM
Not applicable
Reply posted on --/--/---- --:-- AM

I have a flow that generates an oauth2 access token and also provides a refresh token (with expiry). When I use the refresh token to obtain a new access token, I would like to prevent the response from containing a new refresh token value (with expiry). Is there any way to do this other than limiting the number of times that the refresh_token policy is invoked? In short, I only want one refresh token to be used by the end user instead of multiple (i.e. the one on the original oauth token request, not the one on the refresh_token request).

Here is a sample to assist:

Response from request to generate an oauth token:

{
  "issued_at": "1492009708510",
  "scope": "",
  "application_name": "0eb7f33a-5c84-4751-aae4-8d4f18f25705",
  "refresh_token_issued_at": "1492009708510",
  "status": "approved",
  "refresh_token_status": "approved",
  "api_product_list": "[<removed>]",
  "expires_in": "1799",
  "developer_email": "<removed>",
  "token_type": "BearerToken",
  "refresh_token": "sn3JwgyRV02itBrCIJgSVrEwIMmGTgxT",
  "client_id": "<removed>",
  "access_token": "0VxvGIXLo0B7rFKxNDjbshiWRvfk",
  "organization_name": "<removed>",
  "refresh_token_expires_in": "28799",
  "refresh_count": "0"
}

Here is the response from the refresh_token request using the refresh_token value from the original request ('sn3JwgyRV02itBrCIJgSVrEwIMmGTgxT')

{
  "issued_at": "1492009846489",
  "scope": "",
  "application_name": "0eb7f33a-5c84-4751-aae4-8d4f18f25705",
  "refresh_token_issued_at": "1492009846489",
  "status": "approved",
  "refresh_token_status": "approved",
  "api_product_list": "[<removed>]",
  "expires_in": "1799",
  "developer_email": "<removed>",
  "token_type": "BearerToken",
  "refresh_token": "GnnxrqT98kFjVT3o11eoxxAeGYjvonLr",
  "client_id": "<removed>",
  "old_access_token_life_time": "137984",
  "access_token": "GvVZ7yV1LrlUUEEaI8M8uDRGehmg",
  "organization_name": "<removed>",
  "refresh_token_expires_in": "0",
  "refresh_count": "1"
}

Basically, I want to prevent the 'refresh_token' and 'refresh_tokens_expires_in' attributes from being returned in the response back to the client to avoid them using the second refresh token value. The client should still be able to receive new access tokens using the original refresh_token value until it expires.

0 4 891
Topic Labels
0 Likes
4 REPLIES 4
Top Solution Authors
View all