This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). 

To view an earlier version, select the version from the Product version menu.

Automatically extending OAuth 2.0 user sessions by enabling refresh tokens

The BMC Helix Single Sign-On agent supports auto−refreshable tokens that enable infinite user sessions. Such user sessions remain active for a set timeout period. It helps an application to keep the working process active by receiving the new access token for a particular Client ID.

Configurations are made by the BMC Helix SSO SaaS administrator and tenant administrator in the BMC Helix SSO agent and on the server via the BMC Helix SSO Admin Console.

Conditions for automatically extending user sessions with a refresh token

To automatically generate the new access and refresh tokens, the following preconditions should be met:

  • BMC Helix SSO user session associated with access token is valid (active).
  • Access token is valid.
  • Access token is set to expire in 5 minutes.
  • openid (Scope used for OpenID connect) and online-refresh (Online refresh) access scopes are enabled in OAuth2.0 client. These scopes also should be added as parameters on the BMC Helix SSO agent side in file (or on the Auth Proxy side).


When a user logs in to the BMC Helix SSO for the first time with the enabled OpenID and online-refresh access scopes, BMC Helix SSO generates a pair of refresh and access tokens for a user session. BMC Helix SSO generates both access and refreshes tokens during the subsequent user sessions, but only the new access token is passed to the BMC Helix SSO agent.

To configure server via the BMC Helix SSO Admin Console

As a BMC Helix SSO SaaS administrator or a tenant administrator you can configure auto−refreshable tokens on the server via the BMC Helix SSO Admin Console. For this, perform the following steps:

  1. Navigate to the OAuth2 tab > Clients.
  2. In the Allowed Scopes section, select openid and online-refresh checkboxes.
  3. In the Token timeouts section, specify necessary values for the Access Token Timeout field.

For more information about token timeouts, see Configuring OAuth 2.0.

To configure the BMC Helix SSO agent 

For the BMC Helix SSO agent, make the configurations in the file.

To receive auto−refreshable tokens, the oauth-scope key in the file should contain openid and online-refresh values. By default, the oauth-scope key contains openid value.

  1. Open the file and specify the following values separated by spaces: 

    oauth-scope=openid online-refresh
  2. Save your changes.

To configure the external Auth Proxy

To configure auto−refreshable tokens for the external Auth Proxy, add the following details in the Auth Proxy config file:

oidc_scope = "openid online-refresh"
redis_uri = "<redis_uri>"
redis_password = "<redis_pwd>"

Was this page helpful? Yes No Submitting... Thank you