Access token - life span

[Sharishetty]

Hello,
Will club a few questions together here

1. Does oAuth support having a never expiring access token? The goal, is to get an access token and use it until the user logs out or does not use the token to a certain period of time. This is to avoid having to refresh the token.

2. If 1 is not possible is the only way is to set the expiration time on the access token for a large interval, then is there a way to remove the token if it is not used for some time (say 2 hours)

3. We have implemented out own service to logout which removes the access token. Is that the right way to do it or does spring security provide any other way of doing it?

Appreciate any help.
Thanks.

[krishy]

Hello,
Will club a few questions together here

1. Does oAuth support having a never expiring access token? The goal, is to get an access token and use it until the user logs out or does not use the token to a certain period of time. This is to avoid having to refresh the token.

I don't think a never expiring bean is possible in the current implementation (nor does the current spec allow this, I *think*). However, you could define your own token details service bean, set its accessTokenValiditySeconds property to a very large value (this should set the expiry time accordingly) and pass this bean to your resource-server definition as the token-services-ref.

Code:

    
    <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RandomValueTokenServices">
        <property name="tokenStore">
            <bean class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
        </property>
        <property name="accessTokenValiditySeconds" value="30000" />
    </bean>

   <oauth:resource-server id="resourceServerFilter" resource-id="yourCoolResource" token-services-ref="tokenServices" />

2. If 1 is not possible is the only way is to set the expiration time on the access token for a large interval, then is there a way to remove the token if it is not used for some time (say 2 hours)

In the default random value token service implementation, if the token expires and an attempt is made to use it, the token would be automatically removed from the token store.

3. We have implemented out own service to logout which removes the access token. Is that the right way to do it or does spring security provide any other way of doing it?

On one level I do not understand this question. OAuth is session agnostic. The only things that matter are the validity and life span of the token not the user's (the resource owner's) session.

If you do want to do it, spring-security-oauth, AFAIK, does not provide anything to do that. You could define a success-handler-ref for your logout handler in the spring-security configuration and take care of this.