Refresh tokens are issued as part of the OAuth 2.0 Refresh grant type, to allow a client to exchange it for a new access token without having to require any further interaction from the user.
This page lets you review the refresh tokens that have been issued recently. They include:
When reviewing the tokens, pay particular attention to the client ID, member ID and any unusual long lifetime. If there are too many refresh tokens for the same client and user, this might be a sign that the client isn't configured optimally.
The refresh tokens page shows the current server time and date on the top right.
There are two methods to remove tokens depending on whether they have expired or not.
Click Revoke to remove from database.
This immediately revokes the token and renders it unusable, so that a client app is no longer able to exchange it for an access token.
Click the Purge button to remove from the database all the tokens which have already expired. This has no effect on the bearer since the token has already expired, but it frees some storage space and removes these tokens from the table.
Creating refresh tokens manually bypasses the OAuth 2.0 protocol and is inherently unsafe. For security reasons, this functionality might be conditionally removed in future versions of PageSeeder.
Click the
To finalize creating the refresh token, click the Issue button.
Administration menu >
The PageSeeder user manual
© Allette Systems (Australia)