No support of token refresh for encapsulated tokens

When encapsulated tokens are enabled, it’s crucial to set a sufficient expiration time, as token refresh is not available for encapsulated tokens. Find more about encapsulated tokens in this article.

Description description

Environment

  • AEM 6.x.x
  • AEM as a Cloud Service

Issues/Symptoms

There’s no support for token refresh for encapsulated tokens.

Resolution resolution

An encapsulated token is a self-contained token which has a fixed expiration time depending on what is set in the OSGI TokenConfiguration as in (Figure 1).
If the encapsulated token is enabled as shown in (Figure 2), the login session will expire after token Expiration time has run out - even if a token refresh has been enabled as shown in (Figure 1).

For example: if token expiration set is 360000ms as in (Figure 1), the session will expire in 1 hour, the user will have to re-login after 1 hour.

To learn more about encapsulated tokens, see Encapsulated Token Support in our AEM Administering Guide.

The following Token Refresh flag on Oak TokenConfiguration (Figure 1) works fine with sticky sessions.
If you have enabled encapsulated tokens as in (Figure 2), you will have to make sure you have enough expiration time set, because token refresh is not supported with encapsulated tokens.

(Figure 1) Apache Jackrabbit Oak TokenConfiguration

image-2023-02-10-14-31-13-039.png

(Figure 2) Token Authentication Handler - Encapsulated token

image-2023-02-10-14-31-32-399.png

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f