Handling session timeout for Android IBM Mobile First v8.0.2017012919

Question

Problem: The application never gets timed out even after the Maximum Token-Expiration. For testing purposes i have set the Maximum Token-Expiration Period (seconds) on the MobileFirst Platform console to 60 seconds. How can i properly handle session time out based on the token expiration period set in the console?

Scenario: Suppose the user logins into the application and he stays idle for 60 seconds. He performs another action which invokes a different service call for ex. getCountryList. In the logs i see that a request for /mfp/api/preauth/v1/preauthorize is send first. On debugging i found that the sendRequest method in WLResourceRequest gets the scope as access_Restricted and hence invokes the obtain access method in this case.Hence it does not time out.

Expected: In this scenario i would want to automatically logout the user with a session time out instead of obtaining the access token again.

Is it possible to handle this case?

Answer 1

Preauthorization step is a part of OAuth. Whenever application doesn't have valid token to access a resource, it goes through OAuth flow and if client can answer the challenges thrown by server in preauthorization and authorization steps, it receives token at the end of OAuth flow.

You can find more about the Authentication flow of MFP 8.0 here.

In your case, Your application is trying to access protected resource with expired token, Hence it goes through OAuth flow.

To resolve this, You can use a simple timer mechanism with maximum token expiration time which should start in onsuccess callback of your challenge handlers and whenever timer expires, You can consider that your app session got expired.