We’re running ThingWorx 9.7 with a custom authentication extension that worked perfectly until we enabled stricter security policies last week. Now users are getting 403 Forbidden errors when trying to refresh their session tokens, forcing them to log in repeatedly throughout the day.
The authentication extension validates tokens against our corporate SSO system. Our security policy endpoint configuration requires token validation every 15 minutes, but something breaks during the refresh cycle:
POST /Thingworx/AuthenticationExtension/refresh
Response: 403 Forbidden
Error: "Token validation failed - security policy mismatch"
Session validation enforcement seems to reject valid tokens during refresh. The custom authentication extension worked fine with default policies. Is there a compatibility issue between custom auth extensions and stricter security policy configurations? Users are frustrated with constant re-authentication interruptions.
I’ve seen similar 403 errors with custom auth extensions. The problem usually stems from how the extension handles the security context during token refresh. When you enable stricter security policies, ThingWorx validates additional claims that your extension might not be populating correctly. Check if your refresh method is setting all required security attributes, especially the policy validation timestamp.
Security policy endpoint configuration in 9.7 requires explicit declaration of which policies apply to custom authentication flows. Your extension needs to register compatible policy handlers in the authenticator configuration. Without proper registration, the platform treats refresh requests as policy violations. Have you updated your authenticator’s metadata to declare support for the new security policies you enabled?
One more thing to check - your custom authentication extension needs to handle policy version mismatches gracefully. When security policies update, older tokens might carry outdated policy signatures. During refresh, compare the token’s policy version with the current active version. If they don’t match, your extension should re-validate the entire credential chain rather than just refreshing the token. This ensures session validation enforcement doesn’t reject the refresh as a security violation.
Thanks for the insights. I checked our authenticator metadata and you’re right - we never declared policy compatibility. The extension was built before these stricter policies existed. What’s the correct way to update the metadata? Do I need to rebuild the entire extension or can I patch the configuration?