How to set Oauth token expiration?

Question

I'm interfacing with the CF API at Bluemix. I authenticate to the OAuth endpoint with the following:

oauth_endpoint = 'https://login.ng.bluemix.net/UAALoginServerWAR/oauth/token'

http_headers = {
    'Authorization': 'Basic Y2Y6'
}
http_payload = {
    'grant_type': 'password',
    'username': user,
    'password': pw
}

response = requests.post(oauth_endpoint, data=http_payload, headers=http_headers)
results = response.json()
authorization = results['token_type'] + ' ' + results['access_token']

authorized_headers = {
    'Authorization': authorization
}

And then to refresh the token:

http_refresh_payload = {
    'grant_type': 'refresh_token',
    'refresh_token': results['refresh_token']
}

response = requests.post(oauth_endpoint, data=http_refresh_payload, headers=http_headers)
results = response.json()
authorization = results['token_type'] + ' ' + results['access_token']

authorized_headers = {
    'Authorization': authorization
}

The expiration on these tokens is longer than I want. How do I specify a shorter expiration?

score 0 · Accepted Answer · answered Aug 25 '17 at 17:07

0

While I've not been able to figure out how to set the expiration on the oauth token, I was able to solve my requirement with an alternate approach. This post had the answer. To wit, I set the expiration on the Flask session object after making it permanent.

answered Aug 25 '17 at 17:07

KineticSquid

316
3
13

1

I don't think you, as a user, can control that. The duration of tokens is set by the administrator of your UAA server (globally here -> https://github.com/cloudfoundry/uaa-release/blob/develop/jobs/uaa/spec#L385-L390). It can also be set on a per-client basis. You are using the `cf` client though, designed to be used with the cf cli and also configured by your platform administrator, so it cannot be customized there either. Essentially to make this work, you either need to ask for a custom client or do what you're doing and just destroy the access/refresh tokens prematurely. – Daniel Mikusa Aug 27 '17 at 19:39
Thanks for the pointer. Yes, it does make sense that this is an admin level thing. – KineticSquid Aug 28 '17 at 20:43

score -1 · Answer 2 · answered Aug 24 '17 at 16:45

-1

Bluemix login oauth token expire in 1 day. You can use the refreshtoken after sometime.

answered Aug 24 '17 at 16:45

Dharmesh Fumakiya

2,276
2
11
17

What I'm seeing is more like two weeks. Here is the JSON response from the first call: `{ "scope": "openid uaa.user cloud_controller.read password.write cloud_controller.write", "refresh_token": "blah, blah", "access_token": "blah, blah", "jti": "blah, blah", "expires_in": 1209599, "token_type": "bearer" }` Regardless, whether it's one day or two weeks, I'd like to make the expiration period less than what I'm getting by default. – KineticSquid Aug 24 '17 at 17:20

How to set Oauth token expiration?

2 Answers2