access token won't expire after max time

Google Cloud Apigee
1

Hi guys,

I’ve set up a oauth access authorization policy as such:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="GenerateAccessTokenClient">
    <!-- This policy generates an OAuth 2.0 access token using the client_credentials grant type -->
    <Operation>GenerateAccessToken</Operation>
    <!-- This is in millseconds, so expire in an hour -->
    <ExpiresIn>3600000</ExpiresIn>
    <SupportedGrantTypes>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <GrantType>request.queryparam.grant_type</GrantType>
    <GenerateResponse enabled="true"/>
</OAuthV2>

As you can see, it sets the token for 3600000 miliseconds (one hour) expiration, and accordingly, when I retrieve the token, it states a time-to-live of 3600 seconds.

{
    "refresh_token_expires_in": "0",
    "api_product_list": "[Booking-Product]",
    "api_product_list_json": [
        "Booking-Product"
    ],
    "organization_name": "...",
    "developer.email": "...",
    "token_type": "BearerToken",
    "issued_at": "1554732067048",
    "client_id": "...",
    "access_token": "...",
    "application_name": "662f6edc-6421-418c-bf23-9a68d47e9730",
    "scope": "",
    "expires_in": "3599",
    "refresh_count": "0",
    "status": "approved"
}

However, it’s lasting for quite a while longer than that. I’m not sure for how long exactly, but definitivelly for at least a few hours. So my question is, what am I doing wrong here? Am I misunderstanding how the expiration time should work?

Thanks a lot.

Pedro

2

it’s lasting for quite a while longer than that. I’m not sure for how long exactly, but definitivelly for at least a few hours.

What leads you to this conclusion? Describe how you tested the scenario, in some detail. Can you test more thoroughly and give me a precise amount of time, beyond “definitely at least a few hours”?

I don’t think you’re misunderstanding things. After the “expires in” number of second elapses, the token is invalid. We have tested this thoroughly over the years. So if you are seeing an expiry that is not enforced, something unusual is going on, and we will need some diagnostic information to check it out.