11

In Magento [2.2.4] web API when I pass username and password then it generates token for that specific customer (Which is only valid for 1 hour - it is configurable from Magento admin)

http://magento.host/index.php/rest/V1/integration/customer/token?username=test.user@test.com&password=test@123

which returns token.

After generating token, when we pass that token in header.

Authorization :: Bearer *Token Value*

http://magento.host/index.php/rest/V1/customers/me

Which returns customer details.

The above case I explained is working fine for webAPI in magento2 which I tested in POSTMAN.

Now the case is,

Every hour regeneration of token and after that login again every hour is not logical for Mobile Application.

Then how Magento manages user login data and authentication in Mobile application, if it is developed API As per Service Contracts

  • How long should I allow my access tokens to exist before it expires in Mobile Application?
    • I don’t want to force my users to re-authenticate every hour in Mobile Application.
    • How to properly manage your OAuth2 API token life-cycle for Mobile Application.

Making changes in Access Token Lifetime hours would not be logical solution, Because Application and web should have different lifetime hours of Token

enter image description here

Taran
  • 566
  • 3
  • 13
Aditya Shah
  • 7,617
  • 3
  • 39
  • 77
  • Have you tried to extend token lifetime from store->configuration->services->OAuth->Customer Token Lifetime (Hours) - ? – Manthan Dave May 11 '18 at 11:47
  • No, checking it by making a blank value of Customer Token Lifetime (Hours)- which will disable the feature if the value is empty. So might work. – Aditya Shah May 11 '18 at 12:06
  • It won't because when we empty the value of Customer Token Lifetime then it will regenerate token every request and that all data will not expire (every request data) and it will stored in oauth_token – Aditya Shah May 12 '18 at 04:29
  • If you have access to the code of a store you are connecting or you can write a magento module for your app, one solution would be to update token valid date at each request when customer token is used, similar as session is done. Then until your app does any requests within token lifetime customer won't be forced to re-authorize. – Zefiryn Jun 15 '18 at 20:38
  • but based on which flag we consider that customer token is used. – Aditya Shah Jun 20 '18 at 05:26
  • We only know when customer login – Aditya Shah Jun 20 '18 at 05:26
  • I don't think you have to re validate the token again n again after every one hour. if you keep on using it and hit request i.e if a user is browsing and you are using your token, then its lifetime is reset to zero again.. so until unless you are ideal for one hour and didn't hit any API only then the token will expire else you can use it for hours .. – Vivek Jun 22 '18 at 05:34
  • that is the point, IN API user will not be always active, lets take an example. CASE 1 => I opened application in the morning and if i again open that app in night then i shouldn't ask for login again (because token is expired) – Aditya Shah Jun 22 '18 at 05:41
  • @AdityaShah Any solutions about this problem? – mahmoudismail Feb 06 '19 at 12:01

1 Answers1

5

To check for a valid customer token Magento checks two criteria

  1. Is token revoked ( That happens when user logout) : revoked is saved as 1 in oauth_token table
  2. Token is actually present in oauth_token table

Magento runs a cron to remove the expired tokens (as per lifetime in admin setting) from the table (vendor\magento\module-integration\Cron\CleanExpiredTokens.php)

Possible solution

  1. Increase Token lifetime from admin
  2. Override the above mentioned cron to only remove the token that are revoked i.e the logged out customer tokens

Hope this answers your question

Abhishek Tripathi
  • 2,885
  • 2
  • 18
  • 37
Vishwas Bhatnagar
  • 4,679
  • 3
  • 38
  • 60
  • I feel you are talking about the user roles ? like admin ... also please accept the answer – Vishwas Bhatnagar May 14 '18 at 05:06
  • No, i am talking about M2 authentication used in mobile application in back-end , Because every hour regeneration of token and after that login again every hour is not logical for Mobile Application.

    It should only be authenticate once and when user change the password (activity like that)

     – Aditya Shah May 14 '18 at 05:19
  • i think i have suggested a solution for that in my above answer we are using the same solution and working flawlessly for us – Vishwas Bhatnagar May 14 '18 at 05:22
  • 1
    Thanks man!! I searched a lot but didn't found any solution except yours :) – Aditya Shah Aug 14 '18 at 05:08