Magento 2 rest API - How to Manage API Authentication Lifecycle on Mobile Devices Application?

Question

In Magento [2.2.4] web API when I pass username and password then it generates token for that specific customer (Which is only valid for 1 hour - it is configurable from Magento admin)

http://magento.host/index.php/rest/V1/integration/customer/token?username=test.user@test.com&password=test@123

which returns token.

After generating token, when we pass that token in header.

Authorization :: Bearer *Token Value*

http://magento.host/index.php/rest/V1/customers/me

Which returns customer details.

The above case I explained is working fine for webAPI in magento2 which I tested in POSTMAN.

Now the case is,

Every hour regeneration of token and after that login again every hour is not logical for Mobile Application.

Then how Magento manages user login data and authentication in Mobile application, if it is developed API As per Service Contracts

• How long should I allow my access tokens to exist before it expires in Mobile Application?
  • I don’t want to force my users to re-authenticate every hour in Mobile Application.
  • How to properly manage your OAuth2 API token life-cycle for Mobile Application.

Making changes in Access Token Lifetime hours would not be logical solution, Because Application and web should have different lifetime hours of Token

Answer 1

To check for a valid customer token Magento checks two criteria

1. Is token revoked ( That happens when user logout) : revoked is saved as 1 in oauth_token table
2. Token is actually present in oauth_token table

Magento runs a cron to remove the expired tokens (as per lifetime in admin setting) from the table (vendor\magento\module-integration\Cron\CleanExpiredTokens.php)

Possible solution

1. Increase Token lifetime from admin
2. Override the above mentioned cron to only remove the token that are revoked i.e the logged out customer tokens

Hope this answers your question