Is there a way not to generate a refresh token in the WSO2 JWT Grant flow?

1
votes

I am using JWT Grant to exchange a JWT token generated by an external Identity Provider for a WSO2 access token.

The client that will do this is a public browser so I don't want to have a refresh_token. Is there way to configure WSO2 API Manager so that it doesn't generate a refresh_token?

2
wso2wso2-am

2 Answers

1
votes

You can extend the JWT grant type and disable refresh token like this[1].

In AbstractAuthorizationGrantHandler.java

@Override
public boolean issueRefreshToken() throws IdentityOAuth2Exception {
    return false;
}

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java#L90

0
votes

Comment out the refresh token grant handler inside "repository/conf/identity/identity.xml" file. This will globally disable the refresh token grant handler. 

<SupportedGrantType>
    <GrantTypeName>refresh_token</GrantTypeName>
    <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
</SupportedGrantType>