Accessing Token Persistence

The OAuth server uses ActiveSpaces as caching and persistence layer. The access tokens are persisted in the database or memory. Use the database in production systems to store the access tokens. If you choose the memory to store the access tokens, they are lost if the OAuth server goes down.

To use ActiveSpaces for access tokens persistence, follow these steps:

Procedure

  1. Start the Config UI, if not running.
  2. Log in to the Config UI using your credentials.
  3. On the home page of the Config UI, select the Gateway Engine Properties from the drop-down list.
  4. Click the Security link.
  5. Set the OAuth Metaspace properties as explained in the OAuth Data Space.
  6. Save the changes.

    You can set the following properties for OAuth Data Space in ASG_CONFIG_HOME/asg.properties file:

    Properties for Access Token Persistence
    tibco.clientVar.oauth.dataspace.metaspace.name
     
    • Specifies the metaspace name used by the OAuth server.
    • The default value is ASG-OAuth-Tokens.
    tibco.clientVar.oauth.dataspace.local.discovery
      Specifies the discovery URL for this OAuth instance of the metaspace discovers the current metaspace members.

    For example, tcp://machine1_IP_Address:6300;machine2_IP_Address:6300

    tibco.clientVar.oauth.dataspace.local.listen
      Specifies the listening URL for this OAuth instance of the metaspace.

    For example, tcp://machine1_IP_Address:6300

    tibco.clientVar.oauth.dataspace.load.batch.size
     
    • Specifies the maximum number of entries to return when querying data such as an access token.
    • The default value is 1024.
    • Newest tokens are loaded first.
    tibco.clientVar.oauth.dataspace.persister.store
     
    • Defines the type of persistence store. The possible values are: 
      • InMemory
Database

        If the Database is set, define the properties for database server connection.

    tibco.clientVar.oauth.dataspace.capacity
    Specifies the maximum number of tokens to store in the local cache.

    The default value is 1024.

    tibco.clientVar.oauth.dataspace.replication.count
    Specifies the number of seeders that are used to replicate the token. If you have n number of OAuth servers, set this property to n-1 to replicate the token to all servers. The default value is -1.

    For example, setting this property to 1 means that the token is replicated to one additional seeder.

    tibco.clientVar.oauth.dataspace.replication.policy
    Specifies the OAuth access token replication policy when more than one OAuth servers are configured in a cluster. The possible policy options are:
    • sync: as the tokens are added to the OAuth servers, they are replicated immediately to all seeders in the cluster.
    • async: as the tokens are added to the OAuth servers, it does not guarantee that the tokens are replicated immediately.

    The default value is async.

    tibco.clientVar.oauth.dataspace.eviction.policy
    Specifies how a token lookup request is received for a token that exists in the database but not in the cache, and if the cache capacity is reached.

    The default value is LRU. This means the token is read from the database and one token from the cache is evicted.

    Properties For OAuth Server Persister Store of Database Type
    tibco.clientVar.oauth.dataspace.persister.jdbc.driver
      Specifies the database jdbc driver when the database is used as OAuth persistence store.
    tibco.clientVar.oauth.dataspace.persister.jdbc.url
      Specifies the jdbc url for the database server when the database is used as OAuth persistence store.
    tibco.clientVar.oauth.dataspace.persister.jdbc.username
      Specifies the user to connect to the database server when the database is used as OAuth persistence store.
    tibco.clientVar.oauth.dataspace.persister.jdbc.password
      Specifies the password of the user to connect to the database server when the database is used as OAuth persistence store.
    tibco.clientVar.oauth.access.token.retention.period
      Specifies the expiration time (in minutes) for an access token. The default value is 60 minutes. When the access token passes expiration time as specified by this property, it is no longer valid but still remains in the database. The access token is removed from the database based on the value specified by the tibco.clientVar.oauth.access.token.retention.time property.
    tibco.clientVar.oauth.access.token.retention.time
      Specifies the retention period (in minutes) for an access token. The default value is 1440 minutes (1 day) . When the access token passes retention period as specified by this property, the token is removed from the database. By default, the access token is removed from the database after 1 day.
    • The value of tibco.clientVar.oauth.access.token.retention.period property must be less than the value specified by the tibco.clientVar.oauth.access.token.retention.time property.
    • Note: In a multi-instance TIBCO API Exchange environment, if you change the TTL value on a gateway instance, shut down all instances that connect to that metaspace and then restart the instances.