In Magento [2.2.4] web API when I pass username and password then it generates token for that specific customer (Which is only valid for 1 hour - it is configurable from Magento admin)
http://magento.host/index.php/rest/V1/integration/customer/[email protected]&password=test@123
which returns token.
After generating token, when we pass that token in header.
Authorization :: Bearer *Token Value*
Which returns customer details.
The above case I explained is working fine for webAPI in magento2 which I tested in POSTMAN.
Now the case is,
Every hour regeneration of token and after that login again every hour is not logical for Mobile Application.
Then how Magento manages user login data and authentication in Mobile application, if it is developed API As per Service Contracts
- How long should I allow my access tokens to exist before
it expires in Mobile Application?
- I don’t want to force my users to re-authenticate every hour in Mobile Application.
- How to properly manage your OAuth2 API token life-cycle for Mobile Application.
Making changes in Access Token Lifetime hours would not be logical solution, Because Application and web should have different lifetime hours of Token
-
Have you tried to extend token lifetime from store->configuration->services->OAuth->Customer Token Lifetime (Hours) - ?Manthan Dave– Manthan Dave2018年05月11日 11:47:57 +00:00Commented May 11, 2018 at 11:47
-
No, checking it by making a blank value of Customer Token Lifetime (Hours)- which will disable the feature if the value is empty. So might work.Aditya Shah– Aditya Shah2018年05月11日 12:06:26 +00:00Commented May 11, 2018 at 12:06
-
It won't because when we empty the value of Customer Token Lifetime then it will regenerate token every request and that all data will not expire (every request data) and it will stored in oauth_tokenAditya Shah– Aditya Shah2018年05月12日 04:29:03 +00:00Commented May 12, 2018 at 4:29
-
If you have access to the code of a store you are connecting or you can write a magento module for your app, one solution would be to update token valid date at each request when customer token is used, similar as session is done. Then until your app does any requests within token lifetime customer won't be forced to re-authorize.Zefiryn– Zefiryn2018年06月15日 20:38:53 +00:00Commented Jun 15, 2018 at 20:38
-
but based on which flag we consider that customer token is used.Aditya Shah– Aditya Shah2018年06月20日 05:26:10 +00:00Commented Jun 20, 2018 at 5:26
1 Answer 1
To check for a valid customer token Magento checks two criteria
- Is token revoked ( That happens when user logout) : revoked is saved as 1 in oauth_token table
- Token is actually present in
oauth_tokentable
Magento runs a cron to remove the expired tokens (as per lifetime in admin setting) from the table (vendor\magento\module-integration\Cron\CleanExpiredTokens.php)
Possible solution
- Increase Token lifetime from admin
- Override the above mentioned cron to only remove the token that are revoked i.e the logged out customer tokens
Hope this answers your question
-
I feel you are talking about the user roles ? like admin ... also please accept the answerVishwas Bhatnagar– Vishwas Bhatnagar2018年05月14日 05:06:49 +00:00Commented May 14, 2018 at 5:06
-
No, i am talking about M2 authentication used in mobile application in back-end , Because every hour regeneration of token and after that login again every hour is not logical for Mobile Application. It should only be authenticate once and when user change the password (activity like that)Aditya Shah– Aditya Shah2018年05月14日 05:19:59 +00:00Commented May 14, 2018 at 5:19
-
i think i have suggested a solution for that in my above answer we are using the same solution and working flawlessly for usVishwas Bhatnagar– Vishwas Bhatnagar2018年05月14日 05:22:09 +00:00Commented May 14, 2018 at 5:22
-
1Thanks man!! I searched a lot but didn't found any solution except yours :)Aditya Shah– Aditya Shah2018年08月14日 05:08:39 +00:00Commented Aug 14, 2018 at 5:08