On this page
This example presents a Token Procedure plugin that implements the refresh token procedure and adds the following features to the refresh token flow (at the token endpoint):
- If the request to the endpoint contains the query parameter
long_lived_tokenwith value set to
true, then the new access token is issued for a duration set in the plugin's configuration, instead of the value set for the given client.
- If the client has a property
true, then an ID token will be issued together with the response to the refresh token request.
Installing the Plugin
To install the plugin, copy the code from the GitHub repository then run
mvn package. This will create a
.jar file in the
target directory. Copy it to a plugin folder in
$IDSVR_HOME/usr/share/plugins/longlivedtokenprocedureplugin. Copy the jar to every node of the Curity Identity Server, including the admin node. Then restart the Curity Identity Server.
A Token Procedure plugin can be enabled at token service endpoints for the flows that it implements. This plugin implements the refresh flow on the token endpoint. To enable the plugin using the admin UI go to your Token Service profile, then Endpoints. Locate the endpoint with type
oauth-token and click on the
Flows dropdown. Click on the dropdown under the
Refresh flow and select + New Plugin.
Give the plugin a name, and select the "Long Lived Token on Refresh" plugin tile.
You can then change the configuration option for the plugin. Once you adjusted the time to live for new access tokens, commit the changes. The plugin will now run when you call the refresh token endpoint.
You can manage your token procedure plugins by going to the System tab, then choosing Token Procedure Plugins from the sidebar menu.
Testing the Flow
To get long-lived access tokens on refresh add the following parameter to the query string when making the refresh request:
To get the ID token on refresh, first edit your chosen client, go to the Application tab and set the
id_token_on_refresh property on the client.
Now, the ID token will be included in the response to a token refresh.