As mentioned above, you can limit the validity period of an token by setting its expiry time. To allow extending access privileges of a token once it has expired, you can provide a refresh token which will generate a new token with the same privileges as the original one. This takes token management out of the hands of its issuer and delegates it to the user who received the token.
Who can refresh?
Only the instance (or HA cluster) that issued a refreshable token can actually refresh it.
Disabling the Option to Create Refreshable Tokens
From version, 7.21.1, an admin can disable the option to create refreshable tokens by setting the parameter token.allow-refreshable
to false in the$
JFROG_HOME/artifactory/var/etc/artifactory/access.config.latest.yml
file.
Grace Period for Extending an Expired Token
When a refreshable token expires, JFrog Access provides the user with a grace period that essentially extends the ability to refresh the token. This is done by using the parameter token.refresh-expiry
in the $
JFROG_HOME/artifactory/var/etc/artifactory/access.config.latest.yml
file. The default setting for this parameter is 24 hours.
Limitation
The integration of SCIM ensures that an external user who has created a token will not be able to refresh the token if they have been removed from the external authentication server.
However, if your organization has not enabled SCIM, an external user who has created a token will still be able to refresh it even they have been removed; therefore, it is recommended to implement SCIM in your system.