Configuring Outdated Refresh Token Life Time

Last updated: September 14, 2020

Edit on GitHub

Refresh tokens generated when accessing Glue REST API expire after a certain period of time. In addition to that, they can be forcibly revoked at any time. No matter how a token becomes invalidated, it is set to expire but remains in the Storage.

For security reasons and to reduce the database storage space, it is recommended to delete outdated refresh tokens once they are expired. There are two ways how tokens can be removed from the Storage:

automatically on a schedule,
manually.

To configure the time during which an outdated refresh token is stored:

Extend the Spryker\Shared\Oauth\OauthConfig class on your project level.
Configure the time interval for the job via the Spryker\Shared\Oauth\OauthConfig::getRefreshTokenRetentionInterval() method.

After configuring the token lifetime, invalidated tokens will be deleted automatically by a Cron job once their storage time expires.

Note

If necessary, you can delete invalidated refresh tokens with expired storage time manually at any time. To do so, run the following console command:

vendor/bin/console oauth:refresh-token:remove-expired

Was this article helpful?

Tell us what could be better

Name (Optional)

Email (Optional) Invalid email format.

Type your thoughts here

We appreciate the time you took to share the feedback
and will consider it as soon as possible.

Configuring Outdated Refresh Token Life Time

Thank you!