OAuth refresh tokens page | PageSeeder User Guide

Key point: Review long-lived refresh tokens issued by PageSeeder.

Reviewing refresh tokens

Refresh tokens are issued as part of the OAuth 2.0 Refresh grant type, to allow a client to exchange it for a new access token without having to require any further interaction from the user.

This page lets you review the refresh tokens that have been issued recently. They include:

Active refresh tokens.
Expired refresh tokens.

When reviewing the tokens, pay particular attention to the client ID, member ID and any unusual long lifetime. If there are too many refresh tokens for the same client and user, this might be a sign that the client isn't configured optimally.

The refresh tokens page shows the current server time and date on the top right.

Removing tokens

There are two methods to remove tokens depending on whether they have expired or not.

Revoking tokens

Click Revoke to remove from database.

This immediately revokes the token and renders it unusable, so that a client app is no longer able to exchange it for an access token.

Purging tokens

Click the Purge button to remove from the database all the tokens which have already expired. This has no effect on the bearer since the token has already expired, but it frees some storage space and removes these tokens from the table.

Creating new refresh tokens

Creating refresh tokens manually bypasses the OAuth 2.0 protocol and is inherently unsafe. For security reasons, this functionality might be conditionally removed in future versions of PageSeeder.

Click the Issue new refresh token button to open the Issue refresh token dialog.

In the Client field, choose a client from the drop-down.
In the Member field, start typing then click a member to assign from the drop-down.
In the Scope field, type the OAuth 2.0 scope.

To finalize creating the refresh token, click the Issue button.

How to find this page

Administration menu > System administration > OAuth > Refresh tokens