Long-Lived Tokens on Refresh Procedure Plugin

On this page

This example presents a Token Procedure plugin that implements the refresh token procedure and adds the following features to the refresh token flow (at the token endpoint):

  • If the request to the endpoint contains the query parameter long_lived_token with value set to true, then the new access token is issued for a duration set in the plugin's configuration, instead of the value set for the given client.
  • If the client has a property id_token_on_refresh set to true, then an ID token will be issued together with the response to the refresh token request.

Installing the Plugin

To install the plugin, copy the code from the GitHub repository then run mvn package. This will create a .jar file in the target directory. Copy it to a plugin folder in $IDSVR_HOME/usr/share/plugins, e.g., $IDSVR_HOME/usr/share/plugins/longlivedtokenprocedureplugin. Copy the jar to every node of the Curity Identity Server, including the admin node. Then restart the Curity Identity Server.


A Token Procedure plugin can be enabled at token service endpoints for the flows that it implements. This plugin implements the refresh flow on the token endpoint. To enable the plugin using the admin UI go to your Token Service profile, then Endpoints. Locate the endpoint with type oauth-token and click on the Flows dropdown. Click on the dropdown under the Refresh flow and select + New Plugin.

Enable the plugin

Give the plugin a name, and select the "Long Lived Token on Refresh" plugin tile.

New plugin

You can then change the configuration option for the plugin. Once you adjusted the time to live for new access tokens, commit the changes. The plugin will now run when you call the refresh token endpoint.

Edit plugin

You can manage your token procedure plugins by going to the System tab, then choosing Token Procedure Plugins from the sidebar menu.

Testing the Flow

To get long-lived access tokens on refresh add the following parameter to the query string when making the refresh request: long_lived_token=true.

To get the ID token on refresh, first edit your chosen client, go to the Application tab and set the id_token_on_refresh property on the client.

Add client property

Now, the ID token will be included in the response to a token refresh.