Reputation: 229
Regarding oAuth Token used in web api
I am using OAuth/Owin to generate a token and when that token is sent back in the Authorization header of the request; it gets compared automatically and that's how I validate whether the request is coming from valid user or not.Token is of bearer type.
Code that is used to generate token is as below:
private string GenerateAuthToken(TelephonyLoginCdto loginDto, double tokenExpirationTimeInHours)
{
//Generate AuthToken
var identity = new ClaimsIdentity(OAuthDefaults.AuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.Name, loginDto.Username));
var currentUtc = DateTime.UtcNow;
var props = new AuthenticationProperties()
{
IssuedUtc = currentUtc,
ExpiresUtc = currentUtc.Add(TimeSpan.FromHours(tokenExpirationTimeInHours))
};
var ticket = new AuthenticationTicket(identity, props);
var accessToken = StartUp.OAuthBearerOptions.AccessTokenFormat.Protect(ticket);
return accessToken;
}
An external system would consume my API. Flow would be: 1. External system hits login api first. Login api returns a token. 2. External system use that token and pass it in another request Authorization header to do some update using another method of the API.
They can repeat the above process many times in a day say 5~6 times.They come and hit login; get token. Use that token to do some operation by calling save/get methods of API.
My problem is when external system is not hitting any of my API methods for a longer period of time and is idle. Now if external system has to hit the API to do something they need to hit login API again in order to get the token and then consume other methods of API. If they do it more frequently say within 10~15 minutes it take only 1~2 seconds to return the token but if they do it say after 2~2.5 hours my login API taken 30 seconds to return the token.
I am not doing any refresh token mechanism and kind of thinking is it taking this much of time because so many token are already generated and owin is trying to clean the server and then given token. I have no idea what's happenning?
Upvotes: 0
Views: 297
Answers (1)
Reputation: 35597
You might want to have a look at AccessTokenExpireTimeSpan.
The period of time the access token remains valid after being issued. The default is twenty minutes.
The client application is expected to refresh or acquire a new access token after the token has expired.
In your startup you should have something like this:
var OAuthOptions = new OAuthAuthorizationServerOptions
{
// AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/oauth/Token"),
AccessTokenExpireTimeSpan = TimeSpan.FromHours(8),
Provider = new Providers.MyAuthorizationServerProvider(),
// RefreshTokenProvider = new Providers.MyRefreshTokenProvider(DateTime.UtcNow.AddHours(8))
};
app.UseOAuthAuthorizationServer(OAuthOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
Reading your code it seems that your not following the right pipe-line. I would suggest you to read this article which will guide you through the whole process.
Regarding your last question about the lag when the api hasn't been hit by any request for more than 2 hours, that could be cause IIS (if your hosting your api in that environment) is shout down.
Upvotes: 1
Related Questions
- OAuth Bearer Token Not Working for WebApi
- Web API 2 OWIN Bearer token custom authentication
- Owin Bearer Token Not Working for WebApi
- How to get access token in Web Api OAuth?
- Web API token authentication
- Implement OAuth with ASP.NET WebAPI
- Web Api 2 with OWIN OAuth Bearer tokens
- Implementating OAuth access token in ASP.NET Web API2 webservice
- Authentication using OAuth in Web API
- Bearer Token Authentication with ASP.net API