Yes, the timeout value is configurable via a setting in the org. Setup -> Administration Setup -> Security Controls -> Session Settings > Timeout value.
If you use the token continually it shouldn't expire.
I notice the longest Timeout value available is 8 hours. Is there any plan to increase this?
Other OAuth token providers (twitter, facebook) support a much longer period of time and this is really handy - especially if the user doesn't access your app frequently. E.g. the twitter client on my iPhone - I would stop using it if I had to log in every day!
When you are using OAuth with our service you get both a session token ( access_token ) and a long term token ( refersh_token ) which can be used to obtain new access_tokens from the token endpoint. The easiest way to think of it is the refersh token is kind of like a password and the access token is kind of like a session cookie....you can use the referesh token to get new sessions. The access tokens work like with the session settings. Refresh tokens are long lived, but can be revoked.
As your client starts a new session, use the refresh token to fetch and access token. When the access token expires, throw it out and get a new one ( or if your client session ends, throw away the access token )
Think of it like a webbrowser using a password to get a session cookie. Close the browser and you need to login again to get a new session cookie.
@dkador You mentioned that "If you use the token continually it shouldn't expire." So does this mean even if i have set expiration time as 8 hrs for access token, it won't get expired as long as i am continually using it?
Right now what i am facing is, I have set expiration time as 8 hrs but i am able to use access token continuously since 3 days. What exaclty does this behavior mean?
Yes, the timeout value is configurable via a setting in the org. Setup -> Administration Setup -> Security Controls -> Session Settings > Timeout value.
If you use the token continually it shouldn't expire.
I notice the longest Timeout value available is 8 hours. Is there any plan to increase this?
Other OAuth token providers (twitter, facebook) support a much longer period of time and this is really handy - especially if the user doesn't access your app frequently. E.g. the twitter client on my iPhone - I would stop using it if I had to log in every day!
When you are using OAuth with our service you get both a session token ( access_token ) and a long term token ( refersh_token ) which can be used to obtain new access_tokens from the token endpoint. The easiest way to think of it is the refersh token is kind of like a password and the access token is kind of like a session cookie....you can use the referesh token to get new sessions. The access tokens work like with the session settings. Refresh tokens are long lived, but can be revoked.
Hope that helps.
Simon,
So if I understand you correctly, I should use the following algorithm to give the appearance of a non-expiring token:
Authorization:
1. Do the dance
2. Acquire access and refresh tokens
3. Store the refresh token
Usage:
1. Grab the refresh token
2. Make a call to get a new access token
3. Set the session ID to the access token
4. Make the WS call
or
1. Store the access token
2. Set the session ID to the access token
3. Attempt a WS call
4. On error, obtain a new access token and goto step 2.
Is this correct?
Steve
Yup - that's the general idea.
As your client starts a new session, use the refresh token to fetch and access token. When the access token expires, throw it out and get a new one ( or if your client session ends, throw away the access token )
Think of it like a webbrowser using a password to get a session cookie. Close the browser and you need to login again to get a new session cookie.
@dkador You mentioned that "If you use the token continually it shouldn't expire." So does this mean even if i have set expiration time as 8 hrs for access token, it won't get expired as long as i am continually using it?
Right now what i am facing is, I have set expiration time as 8 hrs but i am able to use access token continuously since 3 days. What exaclty does this behavior mean?
Thank you in advance.