The access token which is returned after hitting 'oauth/token' expires after 3600 secs (1 hour).
I understand as per the docs that this is the max time given to a user and after that the token has to be refreshed.
My question is is there a way to decrease this expiry time? I mean If we want a specific user to access an application for 30 mins only. So, how is that is possible?
is there a way to decrease this expiry time?
No, the token is configured by Firebase Authentication, and there is no mechanism provided to change that. You can instead write your own code to check the expiration on the token and refuse to accept it based on your own logic.
Related
I use Scrypted to allow viewing Nest cameras in HomeKit. When I go through the process of giving Scrypted permission to access my camera information, that token seems to expire after a week (approximately). I haven't seen any setting anywhere that allows me to change this. Is there some hidden option somewhere that can allow this permission to not expire.
I finally found the expiration page - but I don't see how to remove the 7 day limit. It offers to raise the daily token limit, but not to remove expiration.
Per https://developers.google.com/identity/protocols/oauth2#expiration this is because your oauth client id is unverified. You'll need to go through the oauth client verification process to get longer lived tokens.
For Sending the notification using REST API's we have to generate access token first and its expiration time 1 hour.
So my question is for Production server every 1 hour we have to generate access token to use this API? Is there any other way to increase this expiration time or bypass this using any admin url or any other thing?
Can any one help me in this?
Currently the access token expiration time for a confidential client is set to 1 hour, and cannot be changed or bypassed.
Please submit feature requests here: mobilefirstplatform.ibmcloud.com/help
Say I generated an authentication token, and to save on processing and remote calls, I've set it's expiration data some 30 days in the future.
Now I want to remove this account from my system, is there a way to revoke the authentication token I have given the client?
I don't think that's possible currently, and I can certainly work around that (by not having such high expiration times mostly), but I just wanted to make sure I didn't miss something in the docs.
Firebase now offers the ability to revoke refresh tokens, it's quite fresh - added 04/01/2018.
https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens
You can't really revoke that specific token (outside of invalidating the secret that generated the token, but that will invalidate all other tokens issued by that secret too - probably not what you want).
You can, however, rely on some information that's specific to the token (perhaps you included a unique user ID as data in the token) and update your security rules to reject any operations that match that value.
Adding to #Alex Redwood's answer
This is the important part:
return admin.auth().revokeRefreshTokens(uid)
.then(() => {
// Get user's tokensValidAfterTime.
return admin.auth().getUser(uid);
})
The example in the documentation has all kinds of nuanced cases, like writing a timestamp to the database to prevent reads until the current token expires, very implementation specific cases. The important part is you call revokeRefreshTokens(uid) on the correct uid, and verify the userRecord has modified the userRecord.tokensValidAfterTime value. This will not expire your active tokens. So it is valuable to have short expiry times to shorten the attack window (A better solution than a database rule that checks a timestamp in my opinion).
From: https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens
Use the CLI:
firebase logout --token <token>
https://firebaseopensource.com/projects/firebase/firebase-tools/#using_with%20ci%20systems
In ASP.NET MVC 4, Is it possible to have a different time out period for different user types?
I have an app where both users and customers will log in. Customers will tend to be fairly transient and be on the site for a short period of time, whereas users will need to remain logged in for several hours.
Is there a way to do this?
I should point out that I am not using MembershipServices. I'm handling user authentication manually.
Hope you can help,
Simon.
Short answer yes.
But you're not using the standard membership provider so you have to engineer this functionality in yourself depending on what you've done.
The standard provider allows you to set the expiry date of the authentication token (see http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.expiration.aspx). The token is then written to the users browser in a cookie with the same expiry date. The expiry date is included in the token itself as otherwise the token would work forever as only the browser knows the cookies expiry date.
When the token expires, the user has to relogin.
I have a passive STS set up for a new application I'm working on.
I've noticed that when a user's session expires, the user is still authenticated. I would have thought that when the session expires, the user would no longer be authenticated. My boss discussed this with me as I am currently charged with setting up the authentication. He says that it would be good if we could make the user's log on expire after a certain period of inactivity similar to how the session expires.
I am familiar with how to sign a user out with a few lines of code. How can I make it so that the user is automatically signed out after a specified period of inactivity?
Currently, I have some code in the global.asax file that programmatically checks when the last request was and compares it to the current time; it then signs the user out if a certain period of time has expired.
Peter Kron has proposed an answer in your MSDN thread:
Handle the SessionSecurityTokenCreated event raised by WSFederationAuthenticationModule. In that you can create a new SessionSecurityToken from the proposed token, and set the lifetime as you please.
http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/6b6d51ea-9c15-4744-800b-dd1379b495c3