This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
I understand the OAuth by default doesnt have a concept of inactivity timeouts. That is more session related. However I have a situation where the access token timeout is 30 minutes, but the clients want it expired after 10 minutes of inactivity. What is the best way of implementing this. There is no refresh token issues in this scenario.
You are correct, OAuth 2 has no specification for session expiry. Apigee will have no mechanism to determine if the user was idle (the user could be interacting with the browser without making API calls). I believe there are some draft proposals to handle this in OpenID Connect (which is built on top of OAuth 2). I think you are better off handling this via session cookies and a web server for now.
This is a hard requirement. The consumer is a mobile app and since we are migrating from an existing platform we cant impose new functionality such as session cookies. Would it make sense if I capture in access token an custom attribute to store last used time and continuously update it everytime its verified. If the time elapsed between last used and current time is greater than 10 minutes I throw an error. Does this make sense. Is this a feasible approach?
This is a hard requirement. The consumer is a mobile app and since we are migrating from an existing platform we cant impose new functionality such as session cookies. Would it make sense if I capture in access token an custom attribute to store last used time and continuously update it everytime its verified. If the time elapsed between last used and current time is greater than 10 minutes I throw an error. Does this make sense. Is this a feasible approach?
Not necessarily. The user could be using the app but not making API calls. How will Apigee distinguish between the two scenarios? Perhaps this is logic you can write in the app itself. Because the app knows when the user was truly inactive vs active.
I completely get your point. However its the same issue with session cookies. Only interaction with the webserver counts towards activity. So if we define the scope as if no API calls have been made in the last 10 minutes using the accesstoken, I need to reject the request, does my approach makes sense or is there a better way?
LinkedIn
Twitter
