Authentication process

The login and authentication workflow accesses the refresh token and access token APIs to create and send a JWT.

  1. The client application accesses the refresh token API with Forcepoint DLP username and password header parameters.
    Important: Only the Application administrator type can request a refresh toke through the REST API. If a User administrator type requests the refresh token, the system returns a 403 error code.
  2. The refresh token is issued as the JWT with the expiration time of 1 day. A refresh token is used to retrieve the access token and to prevent the continual passing of the username and password header parameters over the network. The access token is provided on this call as a return parameter to save a first get access token call.
    Important: Communication is through HTTPS. The username and password are not encrypted.
    Note: If the account password is changed, the refresh token is still valid until the expiration time.
    To update refresh token expiration, execute the following query:
    UPDATE PA_CONFIG_PROPERTIES SET VALUE = '<value>', EXTRA_DATA = '<type>' 
    WHERE NAME = 'REFRESH_TOKEN_EXPIRATION' AND GROUP_NAME = 'SECURITY';
    Note:
    • Valid <value>: Must be greater than zero.
    • Valid <type>: Acceptable units are 'DAYS', 'HOURS', or 'MINUTES'
  3. After the first access token expires, the client application accesses the get access token API with a received refresh token to receive a new access token. Access tokens expire after 15 minutes.
    Note:
    • The refresh token cannot be used for the client application API call. The system returns a 403 error code if the refresh token is used to get or update the Incidents API.
    • By default, the standard expiration time for Access token is set as 15 minutes, which is aligned with industry standards. Setting a shorter duration for the access token expiration minimizes the risk of token compromise/misuse via customer's application.
    To update access token expiration, execute the following query:
    UPDATE PA_CONFIG_PROPERTIES SET VALUE = '<value>', EXTRA_DATA = '<type>' 
    WHERE NAME = 'ACCESS_TOKEN_EXPIRATION' AND GROUP_NAME = 'SECURITY';
    Note:
    • Valid <value>: Must be greater than zero.
    • Valid <type>: Acceptable units are 'DAYS', 'HOURS', or 'MINUTES'