Configuring token timeout for OAuth clients

BMC Helix SSO supports extended sessions for refresh tokens. Unlike access tokens, refresh tokens are always available in the backend and are visible to the frontend. This enables refresh token rotation and session prolongation as long as needed. 

For Auth Proxy, a refresh token is stored in the Redis database where an access token acts as the key. The server gets a refresh token from the Redis database by using the access token. After that, the refresh token is used to generate a new pair of access and refresh tokens from the server. The long-lived sessions for refresh tokens option is available for the Local type of authentication only. 

After you register a client, configure the token timeouts for the client application. 

To configure the token timeouts for OAuth

1. Log in to the BMC Helix SSO Admin Console. 
2. Select OAuth2>Settings.

3. Configure the following fields:

   Fields	Description
   Access Token Timeout	Sets a timeout for the access token. After expiration, the issued access token is no longer valid. The timeout is applied to ID tokens, which are generated when the Opend ID Scope is used. Important:  This setting is not applicable to native clients. For native clients, the timeout value for the access token is specified in the Max Session Time field available in the General > Basic configuration of BMC Helix SSO.
   Refresh Token Timeout	Sets a timeout for the refresh token. After expiration, the issued access token is no longer valid. Important:  Refresh tokens are not issued for native clients.
   OpenID Connect Issuer URL	If the BMC Helix SSO agent uses the Openid scope to support applications hosted on different domains, you must configure OAuth to use the URL of a server that issues the id_token. Enter the URL that matches the sso-external-url configured in the rsso-agent.properties file.

   Important

   The access and refresh tokens remain valid until their expiration. To avoid security concerns, set short timeout durations for access tokens. Refresh tokens have a longer validity, but cannot be used without providing a valid client id and secret value.

4. Click Save. 

   Depending on the OAuth client application type, access and refresh token timeouts can be set differently:

   Native client	Specify the timeout value for an access token in the Max Session Time field available in General>Server Configuration>Basic configuration. Important: Refresh tokens are not issued for native clients.
   Single-tenant client (Client can be registered in SaaS and as a custom tenant)	Specify the timeout values for a tenant by selecting a Tenant and configuring the timeout values. These values are applicable to all clients in the tenant.  Specify the timeout values for a specific tenat client in the tenant by selecting the Use custom token timeouts checkbox for Token timeouts in the client configuration.
   Multi-tenant client	Specify the timeout values at a SaaS tenant level by selecting the SaaS tenant and configuring the timeout values. These values are applicable to all SaaS clients.  Specify the timeout values for a specific SaaS client by selecting the Use custom token timeouts checkbox for Token timeouts. The values are applicable to all tenants specified in the client's redirect URIs. If the Use tenant token timeouts for multi-tenant clients option is enabled for a tenant included in the client's redirect URIs, the token timeouts defined for the Tenant are applicable. Important: The Use tenant token timeouts for multi-tenant clients option takes priority over the SaaS configuration and Use custom timeouts option in the client configuration.

5. Click Save.