Search Results :

×

In OAuth 2.0 and OpenID Connect (OIDC) authentication flows, access tokens are intentionally short-lived to limit exposure in the event of token compromise. Refresh Token Support allows the miniOrange OAuth & OpenID Connect SSO plugin for Joomla to silently obtain a new access token in the background once the current one expires, keeping the user's session alive without requiring them to log in again. This gives organizations the ability to enforce strict token lifetimes as a security measure while simultaneously delivering a smooth, uninterrupted experience for end users.

To enable Refresh Token Support in Joomla, you will need the following:

usecase card logo

miniOrange OAuth Client Extension for Joomla

Download Extension

When an access token expires mid-session on a Joomla website, the user is abruptly logged out and redirected to the login page. In workflows that involve sustained engagement, such as editing content, filling long forms, or processing transactions, this sudden interruption can result in lost progress and a frustrating user experience.

The instinctive workaround of extending access token lifetimes introduces its own risk: a longer-lived token that is intercepted remains exploitable for a greater period of time. Organizations are therefore caught between two undesirable outcomes: frequent login disruptions or weakened token security, with no middle ground available through standard configuration alone.

The miniOrange OAuth & OpenID Connect SSO plugin handles token renewal entirely in the background, requiring a one-time configuration on both the plugin and the Identity Provider side.


Step 1: Complete the initial OAuth/OIDC setup between the miniOrange plugin and your Identity Provider on all relevant Joomla websites.


Step 2: In your Identity Provider, enable refresh token issuance for the OAuth client. In Keycloak, permit the refresh_token grant type and enable Offline Access. In Azure AD, include the offline_access scope in the authorization request.


Step 3: In the miniOrange plugin's configuration panel, navigate to Additional Features and set the Grant type as Refresh Token Grant.


Step 4: Set the Access Token Expiry Threshold, the buffer time before expiry at which the plugin proactively initiates a background renewal request.


Step 5: Define the Refresh Token Lifetime on your IDP/Provider to establish the maximum session duration before a full re-authentication is required, in line with your organization's security policy.


Step 6: Save and test by logging in and allowing the access token to reach its expiry threshold, confirming the session remains active without any user prompt.


With Refresh Token Support in place, organizations no longer need to compromise on either side of the security-versus-usability equation. Short access token lifetimes remain enforceable as a security standard, while users experience continuous, uninterrupted access to Joomla applications throughout their working sessions. Security and IT teams also retain granular control over refresh token expiry and session duration policies, ensuring the solution remains fully aligned with organizational compliance requirements.

  1. SAML Single Sign-On for Joomla
  2. Access Security via Compartmentalization - OAuth Protocol in Joomla!
  3. SAML vs OAuth in Joomla: Which should you choose?
  4. Check out our documentation

We'll Reach Out to You at the Earliest

mo-form

 Thank you for your response. We will get back to you soon.

Something went wrong. Please submit your query again

Table of Contents

Hello there!

Need Help? We are right here!

support