How to manage Refresh token on Safewhere*Identify


Since version 2.0, OAuth introduces Refresh token on top of its popular Access token. An access token contains information about the scopes or roles of a user to a certain service. Originally, issuing an access token meant the issuer relinquished control over that token—the issuer could not revoke the token once it was given. This process brought about many security holes. When a hacker successfully acquires the access token, it is equally as disastrous as when a thief gains the entrance to your secret vault. The potential drama forces developers to limit the life span of access tokens to a very short span, typically from a few minutes to an hour—which reduces the usability because the user has to frequently log in. This is where refresh tokens come in handy. Refresh tokens, which have a much longer lifetime—from a week to a few months—does not require users to log in once the access token is expired because the application automatically requests a new access token at the issuer site. Moreover, implementing refresh tokens improves the system security because the issuer, at any time, can revoke the given refresh token.

With pre 4.2 versions of Safewhere*Identify, in order to access the Rest APIs, the client needed to gain a suitable access token. The process was sophisticated and time consuming. Admin would also need to write a web application that implemented OAuth 2.0 to ask the user to log in, then send those requests to the token’s issuer. The problem escalated when working with Window services that contain no user interaction because admin would, unavoidably, have to write a specific application to log in just for this regard.

To eliminate the hassle, Safewhere*Identify has launched the API Keys that autogenerate tokens and only require the Identify*Admin logon. You no longer have to compromise between security and usability as Safewhere*Identify has it all covered for you.

"Any society that would give up a little liberty to gain a little security will deserve neither and lose both."  - Ben Franklin

How to Set Up to Get the Refresh Token and the Access Token on UI

1.Go to the connection list on Admin, select Tools\OAuth 2.0 to create the OAuth 2.0 Protocol Connection at the Root organization 



2. After the "Identify OAuth2 Token for REST APIs" connection is created on the connection list, go to the My profile page and select My REST API Key.
 3. Click the Generate button to create the OAuth2 refresh token.

4. Click "Test" button to create the Oauth2.0 access token.



Question: Can I revoke the refresh token on my list?
Answer: Yes, you can check the Revoke check box below the refresh token you want and then click the Revoke button.
Question: How can I verify if all refresh tokens are valid?
Answer: You can click the Test button to verify it. If it's valid, an access token will be generated. Otherwise, no access token is generated, as shown below:
Question: Do my refresh tokens update with the new values if I use the Test feature?
Answer:By default, the refresh tokens don't update with the new values. However, if the "Allow issue the new refresh token when exchange a refresh token for an access token" option on the "Identify OAuth2 Token for REST APIs" connection is enabled, they will be updated with the new values every time you click the Test button.
Question: How can I manage the lifetime of the access token as well as the refresh token?
Answer: As default, the lifetime for the token is 60 minutes and for the refresh token is 105200 minutes (aka two years). However, you need to go to the connection list, then open the edit page of the "Identify OAuth2 Token for REST APIs" connection and update the number value on the field: Token life time/Refresh token life time.
  1. Great new functionality!

    Comment by Wessel Kalter — August 18, 2015 @ 11:46 am