We have a secure app which needs a very short access token validity period (for example, 15 mins). We would like the access token to remain active while the user is active and making API calls. However, once there is 15 mins of inactivity it should expire. Essentially, the expiration time shouldn't be fixed, but rather 15 mins from last call.
What is a good pattern to use for this model? Is this possible with OAuth2.
OAuth 2.0 doesn't specify how an access token can be validated. That is up to an agreement between the Resource Server (i.e. your API) and the Authorization Server so you're free in your implementation to gear it towards the scenario that you describe.
Either your Resource Server needs to track the inactivity timeout or the Authorization Server can do it and the Resource Server needs to call out on each usage to the Authorization Server to track usage and activity there.
