In API manager, when client request for access token using authorization code grant, the refresh token is generated by default. Can we change this so that API Manager does not generate refresh token with authorization code grant.
Thank you very much
3 Answers
0
votes
This is the default behavior of authorization code grant type according to oauth2 specification. If you want to avoid getting refresh token you have to write custom grant type [1].
[1] https://docs.wso2.com/display/IS510/Writing+a+Custom+OAuth+2.0+Grant+Type
0
votes
Thanks @Gayan for link to the document. After looking at the source code referred, I found that Refresh Token generation can be disabled globally by commenting out this section in repository\conf\identity\identity.xml
<!--
<SupportedGrantType>
<GrantTypeName>refresh_token</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
</SupportedGrantType>
-->
0
votes
if you have configured the api manager with the identity server you must do this configuration in both products wso2_home/repository/conf/identity/identity.xml
<!--
<SupportedGrantType>
<GrantTypeName>refresh_token</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
</SupportedGrantType>
-->
