Adjusting OAuth 2.0 Token Life Times and Revoking Tokens with OTDS 16

Pete_Oliver
Pete_Oliver E Community Moderator
edited July 19, 2021 in Articles #1

originally posted June 14, 2019 | 🕐️ 3 minute read

This article details how to configure OTDS 16 (and OTDS 10.5 Patch 6 and onwards) with customized Access Token and Refresh Token life times. It also shows how to revoke user's OAuth 2.0 tokens.

Prerequisites

  • OTDS 16 (or 10.5 Patch 6 or later). You can download it from the OpenText Knowledge Centre here.

Install and Configure OTDS

Refer to the OTDS documentation for details on installation and basic configuration.

This article will assume that your OTDS host address is http://localhost:8080.

Out of the box, OTDS requires additional configuration to enable OAuth 2.0 authentication. A useful guide may be found here here.

OTDS REST API

OTDS provides a RESTful API for all administrative operations. OTDS 16 does not include OAuth 2.0 operations as part of its regular administration user interface, therefore this guide will show you how to use the RESTful API to access and modify the token life time settings. The only tool you will need for this is a modern web browser.

OTDS includes full Swagger interface to the REST API. To access it, launch your browser against http://localhost:8080/otdsws/rest. You will need to sign in with your OTDS Administrator Credentials. Once logged in you will see something resembling this:


Life Time Settings are per User Partition

OTDS allows different values for token life times, which are set at the level of the User Partition.

Determine the Current Values for OAuth 2.0 Token Life Times

Expand out the partitions section, then the section entitled GET /partitions/{partition_name}/oauthsettings, or enter this link into your browser

http://localhost:8080/otdsws/api/index.html?rest#!/partitions/getOAuthSettings_get_3

Enter a value for partition_name and click Try it out!:


In this example, the Response Body shows null values for both the access token and authentication code life times. When either of these values shows null, the following defaults apply:

+---------------------+----------------+
| Parameter           | Time (Seconds) |
+---------------------+----------------+
| accessTokenLifeTime | 3600           |
| authCodeLifeTime    | 300            |
+---------------------+----------------+

Authorization Code Life Time (authCodeLifeTime)

The Authorization Code is specified by RFC 6749 Section 4.1 Authorization Code Grant. You probably don't need to change its life time from the default of five minutes.

Access Code Life Time (accessCodeLifeTime)

The Access Code is specified by RFC 6749. In OTDS its default life time is 60 minutes. You can change its value using the Swagger UI.

Navigate to the partitions section, and expand the section entitled PUT /partitions/{partition_name}/oauthsettings:


The following example shows how to set the Access Token life time to 30 minutes (1,800 seconds), adjust as required for your installation.

Into the body section, enter the following:

{ "accessTokenLifeTime":1800 }

and click on Try it out!:


A Response Code of 204 indicates the setting change was successful.

Revoking a User's OAuth Tokens

A user's OAuth 2.0 tokens can be revoked, which is something you should do if you think the user's account or tokens have been compromised or leaked. With OTDS 16, the REST API can be used to do this.

Navigate in the Swagger UI to users then DELETE /users/{user_id}/oauthtokens:

Enter the user_id and click on Try it out!. A response status of 204 indicates success: