We’re running into a critical issue with our performance goal synchronization process in Oracle HCM Cloud 23c. Our background job syncs performance goals from an external system using Oracle Identity Cloud Service for authentication, but SSO tokens are expiring mid-process during large batch operations.
The sync typically processes 5000+ employee goals and takes about 45 minutes. Around the 30-minute mark, we start seeing authentication failures:
HTTP 401: Token expired
at GoalSyncService.updateGoals(line 234)
Remaining records: 1847
We’ve configured token lifecycle management, but the refresh token implementation doesn’t seem to trigger automatically during the sync. The job lacks checkpoint recovery, so when authentication fails, we lose progress and have to restart the entire batch. This creates duplicate goals and data inconsistencies.
Our background job authentication strategy needs improvement. Has anyone implemented a robust token refresh mechanism for long-running sync operations? How do you handle checkpoint recovery when tokens expire mid-batch?
Your background job authentication strategy needs to leverage refresh tokens properly. When you initially authenticate and receive an access token, you also get a refresh token with a much longer TTL (typically 24 hours). Implement a token manager class that monitors the access token’s exp claim and automatically calls the token refresh endpoint when you’re within 5 minutes of expiration. This ensures continuous authentication without interrupting the sync process. Also, make sure your OAuth2 client credentials include the offline_access scope to receive refresh tokens.
Thanks for the suggestions. I’m particularly interested in the token manager approach. How exactly do you parse the JWT token to check the exp claim during the sync? And when you call the refresh endpoint, does that create a new session or extend the existing one?
I’ve seen this pattern before with OAuth2 tokens in batch processes. The default token TTL in Oracle Identity Cloud is typically 3600 seconds (1 hour), but your sync is hitting limits at 30 minutes probably due to active token validation intervals. The key issue is that your sync service isn’t implementing proactive token refresh before expiration. You need to check token expiry timestamps and refresh tokens before they become invalid, not after getting 401 errors.