Access Manager OAuth Refresh Token Timeout not being honoured

  • 7016869
  • 28-Sep-2015
  • 01-Oct-2015

Environment

NetIQ Access Manager 4.1
OAuth 2.0 Authentication

Situation

When configuring global settings, the following token timeouts may be configured

Authorization Code Timeout        Specify the duration in minute after how long the authorization code becomes invalid.
Access Token and ID Token Timeout    Specify the duration in minute after how long the Access token and ID token become invalid.
Refresh Token Timeout            Specify the duration in minute after how long the Refresh token becomes invali
d.

Testing showed that the Authorization Codes and Access Tokens were timing out as configured,  the refresh token was not timing out after the configured number of minutes.

Resolution

This issue has been corrected in Access Manager 4.2. The UI now displays days, not minutes for Refresh Token Timeout

Cause

Refresh Tokens are normally configured in the order of days, not minutes and this is an error in the Access Manager interface. The configuration units are days, not minutes, so the Refresh Token will timeout if the units are read as days.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.