Security Token Persistence in WSO2 Identity Server 5.1.0

When we apply a security policy to the Security Token Service, a token store will also be specified. If we navigate to the registry path /_system/config/repository/axis2/service-groups/org.wso2.carbon.sts-5.0.7/services/wso2carbon-sts/policies/ and view the content of the applied policy, the token store details are included as follows


The token store class is picked from the following property in carbon.xml file.


However, the default DBTokenStore is an in-memory token store (regardless of what the name implies). Therefore, with time, the token store will retain a significant amount of JVM heap if a large number of users obtains security tokens. Also, the issued tokens will be invalid after a server restart.

If required, we can change the token store to a DB based one. For that change the TokenStoreClassName in carbon.xml as follows.


After changes, restart the server and re-apply the security policy to the Security Token Service. The tokens will be persisted in IDN_STS_STORE table.