Environment
NetIQ Access Manager 4.1
OAuth 2.0 Authentication
OAuth 2.0 Authentication
Situation
When configuring global settings, the following token timeouts may be configured
Authorization Code Timeout Specify the duration in minute after how long the authorization code becomes invalid.
Access Token and ID Token Timeout Specify the duration in minute after how long the Access token and ID token become invalid.
Refresh Token Timeout Specify the duration in minute after how long the Refresh token becomes invalid.
Testing showed that the Authorization Codes and Access Tokens were timing out as configured, the refresh token was not timing out after the configured number of minutes.
Authorization Code Timeout Specify the duration in minute after how long the authorization code becomes invalid.
Access Token and ID Token Timeout Specify the duration in minute after how long the Access token and ID token become invalid.
Refresh Token Timeout Specify the duration in minute after how long the Refresh token becomes invalid.
Testing showed that the Authorization Codes and Access Tokens were timing out as configured, the refresh token was not timing out after the configured number of minutes.
Resolution
This issue has been corrected in Access Manager 4.2. The UI now displays days, not minutes for Refresh Token Timeout
Cause
Refresh Tokens are normally configured in the order of days, not minutes
and this is an error in the Access Manager interface. The configuration
units are days, not minutes, so the Refresh Token will timeout if the
units are read as days.