ISC: Expiry of "external triggers" tokens generated by /oauth/token is 68 years

adamian · May 23, 2024, 3:33pm

What problem are you observing?

The HTTP answer from the https://tenant.api.identitynow.com/oauth/token?grant_type=client_credentials has the attribute expires_in set to 2147483646.
According to Authentication | SailPoint Developer Community

The expires_in value describes the lifetime, in seconds, of the access_token

This means the token expires in 68 years.

The JWT access_token (when decoded) contains a similar long exp:

I think that either

the values presented are incorrect (and the actual expiration is much shorter)
or the value is way too long from a standard security practice

What is the correct behavior?

The expiration token should be shorter. Colin mentions something about 30 days here: Implementing A Request Response Type Trigger in Workflows

This will produce an access_token that expires every 30 days.

His access token had the same large expires_in return value:

What product feature is this related to?

Generating access tokens for ISC.

What are the steps to reproduce the issue?

From Colin’s post:

Start by creating a new workflow that is triggered by an external trigger. Click the “New Access Token” button to get the client credentials used to authenticate to the workflow
Use the command presented in the UI: curl -H "Authorization: Basic NzU...." -X POST "https://tenant.api.identitynow.com/oauth/token?grant_type=client_credentials"
Check the expires_in. Check the exp from the access_token on jwt.io.

Do you have any other information about your environment that may help?

No.

colin_mckibben · May 23, 2024, 4:07pm

The token expiration time for external triggers is much longer than for PATs (12 hours). The external trigger token itself is specifically limited and purpose built for triggering the workflow and that workflow alone. The token cannot be used for anything else. We made a decision to set the timeout far into the future to prevent failed workflows as it was deemed extremely low risk. This allows the admins to control token rotation on their schedule. This is important because once the token is rotated/regenerated, the former token is invalidated. Thus the admins control the rotation on their schedule and invalidate the tokens when a new one is generated avoiding failed workflow executions.

As for my blog post, it looks like it’s outdated and I need to update it. I must have incorrectly assumed the expiration was in milliseconds instead of seconds. The good news is that you won’t need that second workflow to refresh the token since it effectively doesn’t expire.

colin_mckibben · May 23, 2024, 4:15pm

I have updated my blog post accordingly. FYI @adamian , you could use these steps listed here to implement a more frequent token rotation schedule if you wanted to.

adamian · May 24, 2024, 7:11am

Thanks for the clarification, @colin_mckibben . I thought it was an error as 2147483646 = 2**31, so it looked more like a placeholder than a value which was specifically settled upon.

Topic		Replies	Views
New Capability: Personal Access Token Expiration Support Product News identity-security-cloud , new-capability , personal-access-tokens	13	300	March 10, 2026
Expiry attribute on webservice connector using OAuth IdentityIQ (IIQ)	1	1046	January 24, 2022
Workflow External Trigger OAuth 500 error ISC Discussion and Questions workflows , identity-security-cloud	13	514	April 13, 2024
Web Service Connector Access Token Issue ISC Discussion and Questions webservice-connector , apis , identity-security-cloud	2	341	November 6, 2023
Announcement: Personal Access Tokens Expiration Policy Product News apis , general-announcement	36	1398	January 9, 2026