Allow any expiration timeout for Portal refresh tokens, including no timeout

02-14-2020 02:01 PM
Status: Open
Occasional Contributor

We have many customers who like to have their users login once and never have to re-login. The secure OAuth workflow that continually generates auth tokens from a never-expiring refresh token is a reasonable security risk to them. Please allow the admin to set a refresh token expiration timeout that is whatever the organization desires, including disabling the timeout. Related documentation:

Specify the default token expiration time—Portal for ArcGIS (10.8) | Documentation for ArcGIS Enterp... 

Tags (2)

We are having an issue with short expiration tokens in the USGS. It used to be a default 2 week token expiration but it has recently started to expire within only 60 minutes. It would be great if our organization admin settings had these options to specify token expiration timeout for feature services shared internally. We often need to showcase web applications to our cooperators and stakeholders before they are published and having to coordinate with the web app hosting teams to refresh tokens every time we have a conference is not a viable option. It's also very embarrassing/frustrating if the token expires during a conference call.  We really need this type of customization! 


Like @lsturtevant has commented, this is a critical need for our work as developers. The token expires too quickly to incorporate unpublished data into our web applications for testing, showcasing, and sharing with cooperators. This issue has wasted many hours and decreased the quality of our work. 


Our team was able to work around this after switching from standalone servers to Enterprise but our client has now tripled the amount of requests they make as they can't cache tokens between multiple requests. I think a reasonable compromise would be to keep the 2 week limit for Portal tokens, but allow the server tokens used for direct service access to have longer expiration times. This maintains some backwards compatibility with older server setups while keeping the current level of security intact for the newer Portal workflows.