The following configurations in the ‘access.config.yml’ will apply the configuration changes required for the API.
Note
If expiry is forced but expires_in was not provided in the request, the default expiry shall be set for users.
An admin can restrict user identity tokens refresh-ability (i.e., disallow creating as refreshable)
default-expiry
The default expiry period in seconds, this is the token expiry when the expiry is set to null.
When set to zero, default expiry is not forced.
Must be non-negative.
Must comply with ('
max-expiry' >= 'default-expiry').Default value: 1 year
max-expiry
The maximum expiry value for access tokens created by non-admin users sets the maximum allowable duration for these tokens.
It is recommended to set a
max-expiryvalue: when it is not set or set to zero, Admins can set the token to be non-expirable, and users can set theexpires_inparameter to any value.When set to more than zero, non-expirable tokens are forbidden for users, and the user's token expiry will be limited to the
max-expiryvalue.Must be non-negative.
Must comply with ('
max-expiry' >= 'default-expiry').Default value: 0
allow-refreshable
When disabled, all the user tokens will be created as non-refreshable.
Default: true
‘access.config.yml’ Example:
token: default-expiry: 31536000 max-expiry: 0 allow-refreshable: true