1

I am using the password grant type. By nature of this grant type, the Client's are fully trusted by the API, and in my case, they share the same owner.

Each Client will be added to the API by the API owner, by manually posting to the oauth/v2/token endpoint, retrieving an Access Token, and manually dropping it into the database of the Client.

The Client's using the API service will need full availability of the API at all times. If their Access Token were to expire, their API call will return a 401 Unauthorized response. The API would therefore not be available until the API owner has manually posted back to the oauth/v2/token endpoint using the refresh token, received a new Access Token, and updated the new Client's Access Token in the Client's external database, for them to use.

My Questions: Ideally, I would like the Access Token to never expire. Is this at all possible? I have looked at the code in the bundle, and it seems not. If not, how have other people got around this issue, to make Token refreshing seamless for the Client?

Alex
  • 1,565
  • 2
  • 9
  • 13

2 Answers2

2

In the FOSOAuthServerBundle configuration, you can change the tokens lifetime to whatever value you want.

Just look at : https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/blob/master/Resources/doc/configuration_reference.md

spiritoo
  • 451
  • 5
  • 15
  • you also need to run 'php app/console cache:clear --env=prod' or 'php app/console cache:clear --env=dev' according to your environment after configuring access_token_lifetime manually to take place the effect! – ani0904071 Jan 18 '21 at 08:14
0

I don't know if this is really an answer or more a comment because although it works for me, I feel it's really far from being a 'best practice'. But I don't have enough reputation to comment. Anyways:

What I've done is just manually set 'expires_at' to null in access_token table. Did it manually in phpmyadmin just because I'll need to handle very very very few clients and tokens.

Now, if you want to 'automatize' it, hook into the pre_persist event on your AccessToken entity and set 'expires_at' to null before persisting. I guess that should work.

Probably the 'best practice' would be to handle token refreshing in your client application. That is, do first a connection to your API and, if it's a 401 response (Unauthorized), refresh the token and retry the connection. I desisted from trying this method for performance reasons.

MigMolRod
  • 388
  • 1
  • 4
  • 12