bshaffer / oauth2-server-php-docs

documentation for the oauth2-server-php library
231 stars 148 forks source link

Access Token Expiry #19

Closed yankeeinlondon closed 10 years ago

yankeeinlondon commented 10 years ago

I am considering having applications allowed to use the "client credentials" workflow (aka, internal apps) have no expiry. In looking at the code it looks like the expiry timeframe is set at the "server" level (on construction) rather than on a workflow basis. Anyway, my questions are:

  1. Is there a way to change Expiry behaviour by workflow type?
  2. Is there a way to turn off expiry for certain workflow types?
  3. Are there any strong reasons NOT to allow for an non-expiring policy for "client credentials"?

Ken

yankeeinlondon commented 10 years ago

Ok, I think I see now that the HttpBasic classes constructor provides a mechanism to provide a grant-specific configuration. I think (untested) that that solve number 1 from above.

bshaffer commented 10 years ago

These are all very good questions.

  1. It's possible to override the Response Type's createAccessToken method to change the expiration per client_id. This is currently the recommended way.
  2. You cannot currently turn off expiration for access tokens. However, setting refresh_token_lifetime to 0 will turn off expiration for refresh tokens
  3. A cornerstone of OAuth is that tokens are refreshed in order to decrease the danger of them being stolen. However, if you are confident the token transaction cannot be intercepted (i.e. server-to-server communication behind a firewall) then I can think of no reason you can't have a non-expiring token.

Sorry for the long delay, this slipped under my radar