tokens validity period

[dima72]

I'm doing refresh of tokens after initial Oauth and getting { "access_token":"28f88a82-a62b-4e44-9312-16a4a5d2e71c", "token_type":"Bearer", "expires_in":3600, "refresh_token":"e98f372c-e5a6-49e5-ba55-a0358d877eb2", "scope":"public_api" }

but my application will request new Oauth authentication again next day it runs. Is there way to setup refresh_token validity for a longer period of time?

Respectfully,

[jottley]

No. The way that it has been configured is to provide a refresh token with each new token issued. Once the refresh token is used it cannot be reused. The refresh tokens will live for 7 days but will expire if used before then. Your code will need to persist the refresh token with each new access token issued.

On Jul 29, 2015, at 3:14 AM, Dmitry Konnov notifications@github.com<mailto:notifications@github.com> wrote:

I'm doing refresh of tokens after initial Oauth and getting { "access_token":"28f88a82-a62b-4e44-9312-16a4a5d2e71c", "token_type":"Bearer", "expires_in":3600, "refresh_token":"e98f372c-e5a6-49e5-ba55-a0358d877eb2", "scope":"public_api" }

but my application will request new Oauth authentication again next day it runs. Is there way to setup refresh_token validity for a longer period of time?

Respectfully,

— Reply to this email directly or view it on GitHubhttps://github.com/Alfresco/alfresco-oauth-sample/issues/7.

[dima72]

can you please suggest, how much time initial token_access is valid, and should it be refreshed before it expires or when I get exception ( --invalid token --)? If i understand correctly application can work without new Oauth 7 + 7 days. Or It will work as long as possible without new Oauth if I refresh token once in a 6 days or so. Yes i keep tokens persisted when application shutdown. Respectfully,

[dima72]

I'm testing now. After initial Oauth access_token valid about one hour until i get exception 'The access token expired'

[jottley]

The initial token is valid for 1 hour. Your code should handle invalid token exceptions. When it gets the exception it can use the the refresh token to get a new access token and refresh token. Those tokens can/should be persisted.

The flow would look something like this:

User attempts to access resource in Alfresco. They are prompted to authenticate. The access and refresh token are returned to your application and persisted. (You may also persist the expires_in to preemptively validate if your access token is still good. I won’t cover that here) The access token is used to access resources in Alfresco. At some point in the future (1 hr+) the user attempts to access an Alfresco resource again. Alfresco returns to that the user no longer has access. The code should then attempt to get a new access token with the refresh token. The returned tokens are persisted and the access token is used to access to resource. If the refresh token is unable to retrieve a token the user should be prompted to authenticate again and the tokens persisted.

I like the approach where time is not tested. This allows for the case in which the service provider to modifies the TTL of these tokens and the code works with the adjustment with no interaction needed by the developer.

On Jul 29, 2015, at 12:51 PM, Dmitry Konnov notifications@github.com<mailto:notifications@github.com> wrote:

can you please suggest, how much time initial token_access is valid, and should it be refreshed before it expires or when I get exception ( --invalid token --)? If i understand correctly application can work without new Oauth 7 + 7 days. Or It will work as long as possible without new Oauth if I refresh token once in a 6 days or so. Yes i keep tokens persisted when application shutdown. Respectfully,

— Reply to this email directly or view it on GitHubhttps://github.com/Alfresco/alfresco-oauth-sample/issues/7#issuecomment-126056527.