Timeout for OAuth2

[Dom F]

I'm using SparkJava and org.pac4j:spark-pac4j:1.2.3

With the simplest implementation I have logged in via Google using OAuth2. It is using The SparkWebContext, an extension of the J2EContext. It also used the HashSessionIdManager. 

Google returns the UserProfile, which contains the access_token. 

After a period (I think 20 or 30 mins) the access_token in the Profile is no longer valid. EG.

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.CjDKA0JfTgGdIi4FVgf-UseUzS-3Hb_FrDVaagjAzpLPConc-qMii6XYwHoo85_SOs8

returns

{
  error: "invalid_token",
  error_description: "Invalid Value"
}

However, when I browse to my protectedIndex page I'm not, as expected, asked to authenticate again.

What basic concept have I failed to understand?  

PS. Is there a single page version of the documentation available. This would greatly aid searching for concepts like this.

[Jérôme LELEU]

Hi,

In fact, the web session should expire before the access token does as the user profile is requested only once at login. Thus, when the session expires, the Google login process is performed again and a new access token is issued.

Thanks.

Best regards,

Jérôme

P.S. : yes, just added this issue: https://github.com/pac4j/pac4j/issues/789

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dominic Farr]

So what is the default session expiration time. I'm never expiring in my naive implementation. I would have expected SparkJava's jetty to be configured with a default 30 mins.

[Jérôme LELEU]

Hi,

Good question! I guess you should ask it on the spark mailing list, I haven't found anything relevant via Google...

Thanks.

Best regards,

Jérôme

[Dominic Farr]

good idea. https://groups.google.com/d/topic/sparkjava/MWvA0_wFwIE/discussion