Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Enhanced refresh token strategy

Updated on March 15, 2022

You now have more precise control over your refresh token expiration strategy. When an OAuth 2.0 client application requests a new access token using the refresh token grant type, the Pega Platform response includes the new access token as well as the refresh token. In the Token Management section, you choose the refresh token issuance mechanism and the expiration of various tokens issued by Pega Platform.

Supporting grant types

The new access token expiry time is set to the value provided in Access token lifetime (in seconds).

Token Management

The Token Management section lets you choose the refresh token issuance mechanism.

In the Token Management section, the Token issuance setting for the Refresh token setting has three options from which you can choose. These are described in the following table:

Token Issuance MethodBehavior
Issue once and keep until expiryEach time a new access token is requested using the Refresh token grant type, Pega Platform issues the same refresh token, with the expiry time updated to the remaining token lifetime using the value provided in Refresh token lifetime (in seconds).
Issue a new refresh token without changing expiryEach time a new access token is requested using the Refresh token grant type, Pega Platform issues a new refresh token, with the expiry time updated to the remaining token lifetime using the value provided in Refresh token lifetime (in seconds).
Issue a new refresh token and reset expiryEach time a new access token is requested using the Refresh token grant type, Pega Platform issues a new refresh token, with the expiry time reset to the value provided in Refresh token lifetime (in seconds).

Identity Provider (IdP) session bounded refresh tokens

When refresh tokens are used in combination with the authorization code grant type and single sign on (SSO), using Pega Authentication services, you can choose to set the refresh token expiry time as the session timeout value provided by the IDP during SSO.

When Authorization code and Set refresh token expiry from IdP session expiry are selected:

  • The refresh token expiry value is set to the same value as the IdP session expiry.
  • The refresh token lifetime value specified in the Token management section of the rule form is not considered.

Related articles

Creating and configuring an OAuth 2.0 client registrationUnderstanding authorized access tokens

Tags

Pega Platform 8.7 Security

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Support Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us