I have a use case where I need to trigger a Job in Ansible Tower using the Tower REST API. My problem, is determining the best way to handle authentication.
Under the current implementation, the refresh_token changes each time I use it to request a new access_token. This is a problem for my client application because it is stateless, and I don’t have anywhere reliable that I can update the refresh_token with the new one returned from the Ansible Tower API. Is there a way turn off the Ansible Tower feature that generates a new refresh_token each time I request a new access_token?
Ideally, I would like get a refresh_token from Ansible Tower that expires within 60 days of the last use. i.e. If the refresh_token is not used within 60 days (configurable), then the token would expire. Otherwise, it would live on. Anyone know if it’s possible to configure Ansible Tower to work this way?
yes, it is, I think I am misunderstanding what you are doing, just use the access token until its end of life and don’t refresh it? the refresh token is to renew the access token if it’s expired only, right?
Let’s assume our Access Token Expiration was 10 minutes. After 10 minutes, we would use the refresh_token to request a new access_token. Where do I store the new refresh_token returned from Ansible? That’s the problem I am trying to overcome… Ideally, I would like the refresh_token not to change. Just be the same one, ad-infinitum, unless the refresh_token went 60 days with no activity. I’m asking if there is a way to disable refresh_token rotation.
“Let’s assume our Access Token Expiration was 10 minutes. After 10 minutes, we would use the refresh_token to request a new access_token”
yes, that is also my understanding, but not just a new access token, also a new refresh token.
" Where do I store the new refresh_token returned from Ansible? That’s the problem I am trying to overcome…"
same place you store the acess token, ideally store them together in the same object.
“Ideally, I would like the refresh_token not to change. Just be the same one, ad-infinitum, unless the refresh_token went 60 days with no activity. I’m asking if there is a way to disable refresh_token rotation.”
that does not exist as far as I know. by design the refresh token changes on usage.
But what I am suggesting is you just don’t use the refresh token, store an access token with 60days, 120days, … validity and just use that one, don’t refresh it unless you want a new access token which will invalidate your old one. If you want a new access token without invalidating your old one you need to create a new token - not use the refresh_token.
