Access Token

By: Mike Con user 23 Aug 2021 at 10:11 a.m. CDT

3 Responses
Mike Con gravatar
Hello, We're trying to understand how the access token works. We currently have our access token set to 24hrs. What is the behaviour of he access token from a session perspecive? If set this 30min what impact will it have on our users. Does the access token timeout after user inactivity, how does it work?
Gluu 4.2.3 Ubuntu 18.4
closed

Answers

By Michael Schwartz Account Admin 23 Aug 2021 at 10:14 a.m. CDT

Copy
Michael Schwartz gravatar
Access have no relation to sessions. A session is an association of a person to a web browser. An access token is the authorization of a client (i.e. a piece of software) to call an API (as designated by the presence of scopes in the access token). Access tokens are as good until they expire. 24 hours is an unusually long time for an access token. Best practices is 1-5 minutes. What I would recommend is a short lived access token, with a refresh token that lives for 24 hours. This would better maintain the security profile.

By Mike Con user 23 Aug 2021 at 11:11 a.m. CDT

Copy
Mike Con gravatar
thanks - What about web session expire duration and gluu login token expire duration 1. gluu login token expire duration 2. refresh token expiration - set to 24hrs 3. web session expire duration

By Michael Schwartz Account Admin 23 Aug 2021 at 11:19 a.m. CDT

Copy
Michael Schwartz gravatar
Web session expiration is up to you. Google never expires your web session... I'm not sure what "login token expire" duration refers to.

Post an answer