Creating API protection definition

Create API protection definitions to configure the settings that dictate the behavior of how resources are accessed. The configuration settings protect the resources from unauthorized access.

1. Log in to the local management interface.
2. Click Secure Mobile Settings.
3. Under Policy, click API Protection.
4. Click Definitions.
5. Click .
6. In the Name field, type a unique name for the definition.
   Note: The name must begin with an alphabetic character. Do not use control characters, leading and trailing blanks, and the following special characters ~ ! @ # $ % ^ & * ( )  + | ` = \ ; :  " ' < > ? , [  ] { } / anywhere in the name.
7. In the Description field, provide a brief description about the definition.
8. Click Grant Types.
9. You must select at least one grant type. Authorization code is enabled by default.
10. Click Token Management.
11. Provide the following information:

    Access token lifetime (seconds)

    Specifies the number of seconds an access token is valid. When the access token becomes invalid, the client cannot use it to access the protected resource.

    Default value: 3600 seconds.

    Minimum value: 1 second.

    Access token length

    Specifies the number of characters in an access token.

    Default value: 20 characters.

    Minimum value: one character.

    Maximum value: 500 characters.

    Enforce single-use authorization grant

    If enabled, all the authorization grant tokens are revoked after an access token is validated. If enabled, resource requests that involve redirects fail because the access token is validated multiple times.

    Default value: disabled

    Authorization code lifetime (seconds)

    Specifies the number of seconds that an authorization code is valid.

    This option applies only to an authorization code grant type. The authorization server generates an authorization code and sends it to the client. The client uses the authorization code in exchange for an access token.

    Default value: 300 seconds.

    Minimum value: 1 second.

    Authorization code length

    Specifies the number of characters in an authorization code.

    Default value: 30 characters.

    Minimum value: one character.

    Maximum value: 500 characters.

    Issue refresh token

    Specifies whether a refresh token is sent to the client. A refresh token obtains a new pair of access and refresh tokens. This option is only applicable to the Authorization code and Resource owner password credentials grant types.

    Maximum authorization grant lifetime (seconds)

    Specifies the maximum number of seconds that the resource owner authorizes the client to access the protected resource.

    This option is available only if you enable the Issue refresh token option.

    The value for this lifetime must be greater than the values specified for the authorization code and access token lifetimes.

    When this lifetime expires, the resource owner must reauthorize the client to obtain an authorization grant to access the protected resource.

    Default value: 604800 seconds.

    Minimum value: 1 second.

    Refresh token length

    Specifies the number of characters in a refresh token. This option is available only if you enable the Issue refresh token option.

    Default value: 40 characters.

    Minimum value: 1 characters.

    Maximum value: 500 characters.

    Enforce single access token per authorization grant

    If enabled, all previously granted access tokens are revoked after a new access token is generated presenting the refresh token to the authorization server.

    This option is available only if you enable the Issue refresh token option.

    Default value: enabled

    Enable PIN policy

    Provides more protection during the exchange of a refresh token fro a new pair of access and refresh tokens.

    This option is available only if you enable the Issue refresh token option. If enabled, you must configure the PIN length.

    PIN Length

    Specifies the number of characters in a PIN. This option is available only if you enable the Enable PIN policy option. You can use the runtime.hashAlgorithm runtime parameter to configure the algorithm that is used to hash the PIN before it is stored. For more information, see Advanced configuration properties.

    Default value: 4 characters.

    Minimum value: 3 characters.

    Maximum value: 12 characters.

    Token character set

    By default, a set of alphanumeric characters is displayed. You can specify the set of characters used to generate tokens in the following methods:

    • Manually enter characters
    • Select from a pre-defined character set from the drop-down list
    • Edit the characters in the field after selecting from a set from the drop-down list

    The configured token character set is applicable for all token types. If this parameter is left blank, all available alphanumeric characters are used to generate the token.

    Maximum number for characters allowed: 200

12. Click Trusted Clients and Consent and select when you want the user to be prompted to consent to an authorization grant.
13. Click Save.