Client-side token refresh

Idea created by jpeppard-esristaff Employee on Apr 25, 2017
    New
    Score20
    • jtessier
    • jvilches

    Synopsis:  Enhance the Portal home app login with an automated client-side token refresh operation that uses a refresh token to renew the access token a user uses to authenticate against Portal.

     

    Description:  The login experience for Portal could be enhanced to pull a refresh token when users log in. The refresh token can then periodically renew the user access token as long as the user is not idle beyond 15 minutes. The current token configuration is set up in Portal where when "maxTokenExpirationinMinutes" is set to any fixed length of time, user's are signed out after that set time regardless of activity.

     

    Use Case

    1. Provide the appropriate/comparable step by step workflow to help illustrate the request.

    1. Navigate to <web.domain.com>/arcgis/sharing/portals/0123456789ABCDEF/update
    2. Update the "maxTokenExpirationinMinutes" to 15 (minutes).
    3. After 15 minutes the user is "signed out" and must sign in again.

    2. What is the problem feature X is trying to solve? (i.e. What is the problem/limitation/design choice that is preventing the customer from moving forward?)
    To adhere to Department of Defense & Federal Security policy requirements, federal agencies and defense customers may implement a 15-minute token expiration (please refer to the workflow for illustration). Because pages such as the Portal Home app and the Map Viewer do not refresh the token automatically, users working within these pages are prone to a poor user experience. Sign-outs after 15 minutes result in the inability to save maps and the subsequent loss of work.

     

    3. What are the benefits or changes that would result from the enhancement? (i.e. How does making this change help the customer's workflow or business?)
    Implementing a refresh token would prevent users from losing their work & unsaved maps. After a refresh token is pulled, it could be periodically renewed as long as the user isn't idle. If the user is idle beyond the 15 minute point, then they would be signed out.