To my understanding, the Oauth2 client uses a session for user login-in management. I, however, can't find where the timeout limit is defined. I am asked to ensure the timeout limit is 15 minutes. Where is the limit defined?
On application.yml, there are 2 parameters for token expiration:
Related
I'm using Cloud Firestore for Firebase to store informations about a Rest API Service written in NodeJs.
So, every request to Node will ask to Firebase informations about the service and, for first, it will authorize the request.
I thought that use an user generated JWT will be the best solution because the client have to simply include the JWT in his requests to authorize itself.
A Firebase JWT is related to the uid of the user that generates it.
Obviously, there'll be a control panel where the user can log in with email/pw and generate the JWT, and then the JWT will be included in his client system, for example like simple APIs that requires an API Key to identify the user and to work.
So, the idea appears to work good but i noticed that the Firebase JWTs expire in only 1 hour!
The user have to log-in to the control panel every hour to re-generate the JWT. That's not so friendly.
How can avoid this problem? How can i make the JWT expires in more than only 1 hour?
According to documentation:
The maximum lifetime of a token is 24 hours + skew.
[...]
with a skew of up to 10 minutes.
That means you cannot use these tokens forever, which kind of makes sense.
I looked at custom tokens and found:
The time, in seconds since the UNIX epoch, at which the token expires. It can be a maximum of 3600 seconds later than the iat.
Note: this only controls the time when the custom token itself expires. But once you sign a user in using signInWithCustomToken(), they will remain signed in into the device until their session is invalidated or the user signs out.
Perhaps you can do something with the signInWithCustomToken() as once logged in it expires only when the user is invalidated or signs out, but I believe the best course of action would be to look for another approach.
I made my custom backend with nodejs using firebase cloud functions and the auth token expiry time is only 1 hour for the admin sdk how to increase the expiry time of token or something to counter this issue without using the firebase-client in my web app
If you're creating custom tokens you're bound by this requirement that Firebase places on the exp claim:
exp: Expiration time
The time, in seconds since the UNIX epoch, at which the token expires. It can be a maximum of 3600 seconds later than the iat.
You might want to look into session cookies, which (according to the documentation) allow:
Ability to create session cookies with custom expiration times ranging from 5 minutes to 2 weeks.
I want to achieve following using KeyCloak. how can I do it? I am using node application using keycloak-js library.
The JWT token should include a refresh token.
The JWT access time should be set to two minutes, the refresh token expiry set to one hour.
Go to Keycloak Administrative Console.
Select your Realm.
Go to "Tokens" tab.
Set desired timeout in "SSO Session Idle" param
Refresh token timeout is controlled via "SSO Session Idle" param.
Set it to 1 hour in your case.
Bear in mind that there are no refresh tokens in "Implicit flow.
Using cookie authentication on Cloudant, is is possible to adjust the life of the cookie?
On a normal CouchDB setup "the session timeout is specified by the "timeout" parameter in the "couch_httpd_auth" section of the configuration. If not specified it defaults to 600 seconds (10 minutes)." I haven't found this option in the Cloudant dashboard.
The lifespan of a cookie is not configurable by the user in Cloudant. Cookies timeout after 24 hours.
I have using docusign node module for using embedded signing flow. Things have been working fine but suddenly we have started seeing errors such as access token limit exceeded.
Here is the error
Description: Maximum number of access tokens exceeded.
at /Users/amitagwl/Projects/Personal/support.birdeye.com/node_modules/docusign-node/components/auth.js:105:17
Questions:
In quick look up I found that production accounts have 10 as token limit. Why is that ? If I have exceeded the limit, does it mean I can't use my account any more ?
Can I reuse existing token ? How do I see my previously created token ?
Each application is allowed 10 tokens per authenticated user. In other words your app can connect to a user's account only 10 times. The tokens can (and should) be reused. Typical apps will require only one token for each user - or one token for each account of Send-On-Behalf-Of is used.
In general you should authenticate once, get the token, store that token, and use it for future access to that user's account. The user may revoke that token at any time so your app should prompt for authentication if necessary.
I got the answer. Tokens can be revoked under "connected apps". (Classic experience only).