Workspace ONE Access uses OAuth 2.0 to enable applications to register with Workspace ONE Access and create a secure delegated access to applications that are enabled in the Hub catalog. The OAuth client is authorized through an access token.

  • (Cloud deployments only) When the Workspace ONE Access console was redesigned in April of 2022, OAuth 2.0 Management replaced Remote App Access and the configuration was redesigned. The changes you make in the new console are not reflected in the legacy console.
  • (On Premises deployments only) In the Workspace ONE Access 22.09 release, the Remote App Access configuration remains the same as in previous releases. See Managing Applications with OAuth 2.0 in Workspace ONE Access (On Premises only).

You can create a single OAuth 2 client to enable a single application to register with Workspace ONE Access. You can also create a template to enable a group of clients to register dynamically with the Workspace ONE Access services to allow access to specified applications.

The initial user authentication request follows the authentication flow defined in the OIDC spec.

OAuth 2.0 Workflow when Application is Accessed from Workspace ONE Intelligent Hub

When a user clicks the application in the Workspace ONE Intelligent Hub app or Hub portal, the authentication flow is as follows.

  1. The user selects the application in the Hub catalog.
  2. The Workspace ONE Access service redirects the user to the target URL.
  3. The application redirects the user to Workspace ONE Access with an authorization request.
  4. Workspace ONE Access service authenticates the user based on the authentication policy that you specified for the app.
  5. The Workspace ONE Access service checks whether the user is entitled to the application.
  6. The Workspace ONE Access service sends the authorization code to the redirect URL
  7. Using the authorization code, the application requests the access token.
  8. The Workspace ONE Access service sends the ID token, access token, and refresh token to the app.

Managing Access Token Time to Live

The access token provides temporary secure access to the application. Access tokens have a limited lifetime. When you create the client credentials, the access token is configured with a time to live (TTL). The time configured is the maximum time that the access token is valid for use within an application.

If users frequently use an application, such as the Workspace ONE Intelligent Hub app, you can configure the client credentials not to require these users to have to log in every time the access token expires.

Enable Issue Refresh Token so that when the access token expires, the application uses the refresh token to request a new access token. The refresh token is configured with a TTL. New access tokens can be requested until the refresh token expires. When the refresh token expires, the user must log in to the application.

You can configure how long a refresh token can be idle before it cannot be used again. If the refresh token is not used by the refresh token idle TTL, users must log in to the application again.

How Access Token Time to Live Works

The access token time-to-live (TTL) settings in the client credentials are configured as follows.

  • Access Token TTL is set to nine hours
  • Refresh Token TTL is set to three months
  • Refresh Token Idle TTL is set to seven days

If the user uses the application every day, the user does not need to log in again for three months, based on the Refresh Token TTL setting. However, if the user is idle and does not use the application for seven days, the user would need to log in after seven days, based on the Refresh Token idle TTL setting.