Renewing a Token

The renew token operation helps in renewing a token issued by WS-Trust Security Token Service(STS). Only a token that is issued by Identity Server that is part of the same cluster can be renewed. Tokens issued by a different Identity Server in a different cluster or by a third-party STS cannot be renewed.

Each token generated by the STS is valid for the duration specified using the Token Lifetime setting. A token can be renewed only before lapse of the expiry period. For example: if the Token Lifetime has been specified as 180 seconds, token renew operation will succeed only till the 179th second.

Workflow:

  1. The web service client sends a RST to WS-Trust STS for its authentication and WS-Trust STS returns a SAML token to the client in the RSTR

  2. The web service provider uses the SAML token from STS and requests access to resources hosted on the web service provider.

  3. The web service provider validates the SAML token and provides access to the resources.

  4. When the token is nearing expiry, the web service client sends a RST to WS-Trust STS to renew the token previously issued. The STS renews the validity of the token and sends a renewed token to the web service client for any further requests.

  5. The web service client uses the renewed SAML token from STS and requests access to resources hosted on the web service provider.