Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[APIM 4.1.0] Add multiple-active-access-tokens documentation. #8619

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Multiple Active Access Tokens

WSO2 API Manager by default allows only one active access token to be in existence for the same Consumer Key, User and Scope combination at a given time. This behaviour can be modified to allow multiple access tokens as described in the following sections.

## JWT

When issuing `JWT` tokens before the expiry or revocation of the previous token, the default behaviour is to revoke the previous token and issue a new token. With the following configuration, it can be configured to issue a new token before expiry and without revoking the old token, allowing the existence of multiple active access tokens at the same time.

```toml
[oauth.jwt.renew_token_without_revoking_existing]
enable = true
```

By default only the `client_credentials` grant type is allowed to generate multiple access tokens. This can be configured by the following configuration.

```toml
[oauth.jwt.renew_token_without_revoking_existing]
enable = true
allowed_grant_types = [“client_credentials”, “password”]
```

!!! note
If you are customizing the `allowed_grant_types` make sure to add or remove the default value `client_credentials` as per the requirement.

## Opaque

When issuing `opaque` tokens before the expiry or revocation of the previous token, the default behaviour is to issue the existing token which is stored in the DB. With the following configuration, it can be configured to allow the existence of multiple active access tokens at the same time.

```toml
[oauth.opaque.renew_token_without_revoking_existing]
enable = true
```

By default only the `client_credentials` grant type is allowed to generate multiple access tokens. This can be configured by the following configuration.

```toml
[oauth.opaque.renew_token_without_revoking_existing]
enable = true
allowed_grant_types = [“client_credentials”, “password”]
```

!!! note
If you are customizing the `allowed_grant_types` make sure to add or remove the default value `client_credentials` as per the requirement.
2 changes: 2 additions & 0 deletions en/mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ nav:
- Token Persistence: design/api-security/oauth2/token-persistence.md
- Encrypting OAuth2 Tokens: design/api-security/oauth2/encrypting-oauth2-tokens.md
- Hashing OAuth Keys: design/api-security/oauth2/hashing-oauth-keys.md
- Multiple Active Access Tokens: design/api-security/oauth2/multiple-active-access-tokens.md
- Provisioning Out-of-Band OAuth Clients: design/api-security/oauth2/provisioning-out-of-band-oauth-clients.md
- Securing OAuth Token with HMAC Validation: design/api-security/oauth2/securing-oauth-token-with-hmac-validation.md
- Threat Protection:
Expand Down Expand Up @@ -1951,6 +1952,7 @@ plugins:
'learn/api-security/oauth2/token-persistence.md': 'https://apim.docs.wso2.com/en/4.1.0/design/api-security/oauth2/token-persistence/'
'learn/api-security/oauth2/encrypting-oauth2-tokens.md': 'https://apim.docs.wso2.com/en/4.1.0/design/api-security/oauth2/encrypting-oauth2-tokens/'
'learn/api-security/oauth2/hashing-oauth-keys.md': 'https://apim.docs.wso2.com/en/4.1.0/design/api-security/oauth2/hashing-oauth-keys/'
'learn/api-security/oauth2/multiple-active-access-tokens.md': 'https://apim.docs.wso2.com/en/4.1.0/design/api-security/oauth2/multiple-active-access-tokens/'
'learn/api-security/oauth2/provisioning-out-of-band-oauth-clients.md': 'https://apim.docs.wso2.com/en/4.1.0/design/api-security/oauth2/provisioning-out-of-band-oauth-clients/'
'learn/api-security/oauth2/securing-oauth-token-with-hmac-validation.md': 'https://apim.docs.wso2.com/en/4.1.0/design/api-security/oauth2/securing-oauth-token-with-hmac-validation/'
'learn/api-security/threat-protection/bot-detection.md': 'https://apim.docs.wso2.com/en/4.1.0/design/api-security/threat-protection/bot-detection/'
Expand Down