On Fri, Jul 5, 2013 at 4:30 PM, Vijayaratha Vijayasingam <[email protected]>wrote:
> Hi all; > Currently in the APIManager we provide an option in the identity.xml to > configure the token validity period. But it is global level one time > setting. > > *Scenario* > > If there is any theft in the tokens or publisher Admin may want to control > the validity period of the token per Application/Per user level, based on > some conditions, admin needs to configure the token validity period. > Currently we don't have that facility in APIManager. > We do need to have a validity period per application/per user. But its meaningful to have validity period per application. Tokens are given to the application not for the users. > > *Approaches* > > To provide a flexible token validation configuration parameter; > > 1. At the store UI, when store admin/subscriber creates an > application, we can ask for validityTime for the token. In this case, > again, tokenValidity period is going to be Application level.So, this will > affect all users who are subscribed to that application. (Let's say , this > as "ApplicationToken Validity period") > > +1 Also - we the authorization server can respect this or not. Thanks & regards, -Prabath > > 1. At the store front, if we consider per user level validity period > for an Application( Let's say,this as Usertoken validity period for > Application), would be a better solution? > > > How can we approach this token validity configuration ? > > Any thoughts/ideas are welcome.. > > Thanks. > > -- > -Ratha > mobile: (+94)755906608 > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
