For on-premises deployments, Workspace ONE Access uses OAuth 2 to enable applications to register with Workspace ONE Access and create a secure delegated access to applications enabled in the Hub catalog.

You can create a single client to enable a single application to register with Workspace ONE Access. You can also create a template to enable a group of clients to register dynamically with Workspace ONE Access service to allow access to specified applications.

The initial user authentication request follows the authentication flow defined in the OIDC spec.

Managing Access Token Time to Live

The access token provides temporary secure access to the application. Access tokens have a limited lifetime. When you create the client credentials, the access token is configured with a time to live (TTL). The time configured is the maximum time that the access token is valid for use within an application.

If users frequently use an application, such as Workspace ONE, you can configure the client credentials not to require these users to have to log in every time the access token expires.

Enable Issue Refresh Token so that when the access token expires, the application uses the refresh token to request a new access token. The refresh token is configured with a TTL. New access tokens can be requested until the refresh token expires. When the refresh token expires, the user must log in to the application.

You can configure how long a refresh token can be idle before it cannot be used again. If the refresh token is not used by the refresh token idle TTL, users must log in to the application again.

How Access Token Time to Live Works

The access token time-to-live (TTL) settings in the client credentials are configured as follows.

  • Access Token TTL is set to nine hours
  • Refresh Token TTL is set to three months
  • Refresh Token Idle TTL is set to seven days

If the user uses the application every day, the user does not need to log in again for three months, based on the Refresh Token TTL setting. However, if the user is idle and does not use the application for seven days, the user would need to log in after seven days, based on the Refresh Token idle TTL setting.