OTK Maximum tokens per client does not work when using client credential flow.


Article ID: 141873


Updated On:


CA API Gateway API SECURITY CA API Gateway Enterprise Service Manager (Layer 7) CA Microgateway


When setting the maximum number of tokens per client  as documented in :


-  Set the Maximum Token Count section 

We still  can request more than 5 tokens while the "max_oauth_token_count" set to 5 and "max_oauth_token_behaviour" set to error

Under which circumstances is this count applied? Is it per OTK session, per issued token?




The max token count applies to the combination resource owner and  client credentials . The Client credentials grant type does not require a resource owner as it acts on its own behalf meaning to get a token you only need to provide client credentials knowing the ID and the Secret.

The max token value does only for work for the combination resource owner/ client credentials . and there fore does not work with the client credential authentication flow.