I know I can set sanctum token expiration time in config/sanctum.php but this expiration seems to be global. How can I set a different expiration time base on their role. e.g super admin token should expire after 30 minutes while admin should expire after 15 minute.
While authenticating a user, You can dynamically set 'expiration' key of sanctum configuration based on your user type.
config(['sanctum.expiration' => 525600]);
Related
I already have issued a lot of token for an existing application on production. There was a ttl and refresh_ttl value in JWT config. I have set ttl and refresh_ttl to null so that the new tokens doesn't have an expiration time. Right now, I want to remove expiration time from all the existing tokens. How do I achieve this?
I need a token( or key) to use in API request as bearer token.
The idea is to set it once for user and access resources without login.
I tried to use access_token for it, but max expiration time is 1 day.
So, I need a token:
- With expiration time >30 days
- which can uniquely identifies user
- Contains authentication data, like roles and groups
Any idea how it can be done with OKTA?
If you're using OAuth in conjunction with Okta, you can use a refresh_token (which can have a much longer expiration - including unlimited) to fetch a new access_token.
So, you wouldn't need end user (resource owner) interaction. But, when the access_token expires, you would need to fetch a new one using the refresh_token.
I have a Web API which is issuing Bearer Token after successful login check.
And API is set with Token Expiration time as 1 day and its working fine.
What I want is to expire a that token before its scheduled time (like 1 hour) if user sends a log out request, so that token won't work after that.
Is it possible?
As per my point of view, there is no need to expire generated token manually. Though you want to do so, you need to update(refresh) token expire time to the current request time, make sense?
But in that case, you will need to create a new token every time even if user logout and login before expiration time.
Because tokens are stored on the client and not on the server, You can't manually invalid token.
I had similar problem once, in this question
In parse dashboard in class _Session, all sessionTokens are being saved.
The following actions seem to trigger the creation:
Login
Sign up
Upgrade
The first question is: Is there any other action that will create a new session Token?
And: I see that all token have an expiresAt field. Which is always set 1 year after token createdAt. Can i extent this period (e.g. to 2 years)?
Last: If this token is expired, and a user uses my app, what would happen then? The app will require a new log in (so a new token will be created)?
Correct on the actions.
Parse-server allows for advance options on initialization. Use sessionLength to set your expiry date.
If you using environmental variables it will be PARSE_SERVER_SESSION_LENGTH.
sessionLength - The length of time in seconds that a session should be valid for. Defaults to 31536000 seconds (1 year).
Depends what you doing client side. You can force log out if the session has expired.
Also note that when trying to run cloud code with an expired session the following error will show: {"code":209,"message":"Session token is expired."}
I just came across this and wanted to build on the accepted answer.
Yes, the default sessionLength is 1 year but can be extended via a config param passed into the constructor of the ParseServer object.
When using Anonymous accounts this is a disaster situation. By design, the user can not re-authenticate after the session expires so they just lose all their data.
Reading the Parse Server source code I found another config setting expireInactiveSessions which defaults to true. I was able to pass in that config option as false and now expiresAt on the Session collection is undefined. Now anonymous user sessions never expire.
In my case, I use anonymous users but allow users to create a real account using email auth. Unfortunately, now those sessions never expire too. I didn't try it but I think you could set a trigger on the Session collection to provide an expiration for email based accounts and have anonymous sessions never expire. This would be the ideal solution.
How to set expired time for Sentry auth / token?
I Need to set the time to 60 minute or 1 day maybe.
Is it can be set at config? but i don't find the setting for expired time login.
Go to config\session.php.
Change the lifetime value to any number of minutes. Sentry will use that value as its session expiry time.
As per the laravel documentation:
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.