Hello everybody!
I have a quite unusual question. I have been trying to read the documentation on refresh token grant type with webservices connector, couldnt find the info I need. Maybe somebody here knows the answer.
So essentially, we are using refresh token grant type (client credentials is not supported, only refresh token or auth code, or password).
Password grant type could be the most obvious route, but we want to try refresh token grant type in Sailpoint. The problem is that refresh token expires every 14 days, and access token expires in 10 minutes.
Just to be clear, in access_token generation I provide client_id and secret along with refresh token. The response contains access token and refresh token. So will the new refresh token replace the old one automatically OR I need to change the refresh token manually every 14 days? Will it map into refresh token automatically? FYI, I set up everything and everything seems to work, but I wonder if I have to manually replace the refresh token in 2 weeks. P.S. I used password grant_type to generate the initial refresh token I used in source configuration.
Also, has anybody use auth code grant_type? I am trying to figure out the way that won’t involve using passwords and usernames.
Hi @pulatoi ,
As per the standard workflow, the connector should handle the automatic generation of a new access token using the existing refresh token, Client ID & Secret, whenever the access token expires. This is a standard OAuth 2.0 flow.
Hey Prashanth,
I do get that part, the question was about refresh token itself not the access token. Sailpoint generates access token using the refresh token. Refresh token expiration lifetime is 2 weeks. When Sailpoint generates an access token using tokenURL, it returns access token (which is mapped into $application.accesstoken$, and can be used later on) AND refresh token. So my question is, is the new refresh token mapped into Sailpoint and old one is replaced, or do I have to replace refresh token in 2 weeks?
Hi @pulatoi ,
Sorry about that, Yes, as my experience, IDN doesn’t automatically update the refresh token if the response from the token endpoint contains a new one. You will need to manually update the refresh token in the source configuration every 14 days or whenever it expires. The current implementation of the Web Services connector does not map and replace the refresh token automatically in SailPoint.
Hope this helps!!
Hi,
Generally refresh tokens will have a longer validity. Its not ideal to change token every 14 days.
Instead you can make use of custom authentication and generate refresh token every time before doing HTTP operation.
-Abhinov
@pulatoi you can use an option custom authentication which allows you to authenticate using client id and secret and store the access token and use it in other http operation
Abhinov, any suggestions on how to use custom authentication if the target application doesnt support client_credentials grant type? it only supports password, refresh token and auth code grant_type. Any suggestions?
Shantanu, I like I mentioned before, I tried to use custom auth path, but I faced with issue that there is no client_credentials grant_type. The target application offers to obtain access token with either username/password or auth code. Any suggestions?
Hi,
We have couple of steps here.
- Generate refresh token.
- Generate access token.
Using custom authentication you can first generate refresh token and you can write a after rule for custom authentication operation to generate access token from the refresh token generated.
You can add this in to a source variable and use the access token in all HTTP operations.
-Abhinov
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.