Clean up invalid and expired OAuth token data

The way OAuth and OIDC logins work requires Safewhere Identify to store data about issued tokens in a database. In busy systems, you might notice that the OAuthAccessToken and AuditOAuthAccessToken tables accumulate data rapidly. While there is a manual guide available for cleaning up this data, this document provides guidance on configuring the auto-cleanup feature to automatically remove invalid and expired token data

Settings

The auto-cleanup feature automates the scheduling of background jobs to remove all invalid and expired token data. To control these jobs effectively, specific settings are required:

access-token-data-clean-up-settings

  • OAuth access token retention days: This setting determines the timeframe, measured in days, during which an expired token will be retained. The default value is set to 7 days, meaning an expired token will be retained for 7 days following its expiration date.
  • OAuth access token clean up execution time (minutes): This setting defines the timeout for the cleanup process in minutes. It specifies the maximum duration allowed for the cleanup operation to complete its tasks, preventing it from running indefinitely and potentially impacting system performance. You can adjust this value to meet the specific requirements and resources of your system. The default value is 60 minutes.
  • OAuth access token clean up cron: This setting sets the schedule for automated tasks responsible for removing expired and invalid OAuth access tokens from the system. The default value, "0 0 * * *" (every midnight), indicates that the cleanup process runs daily at midnight.

You can customize these setting based on your organization's security policies and operational needs, choosing alternative schedules or frequencies as necessary.

Notes

  • Although these settings mention access tokens, they actually apply to the cleanup of all types of tokens.
  • If the job has run and there are removed data, you can view the information in the Audit log:

accesaccess-token-cleanup-audit

  • The auto-cleanup feature exclusively supports the MSSQL Database provider.
  • This feature is available starting from version 5.16. It is recommended that you manually run scripts to delete all obsolete tokens before upgrading Identify instance to version 5.16. If your database contains a significant amount of obsolete OAuth token data, the upgrade might encounter issues, or the cleanup process may run indefinitely.
  • The job also performs data cleanup for token information in the Audit database.