Client-side token refresh

04-25-2017 10:07 AM
Status: Open
Esri Contributor

Synopsis:  Enhance the Portal home app login with an automated client-side token refresh operation that uses a refresh token to renew the access token a user uses to authenticate against Portal.

Description:  The login experience for Portal could be enhanced to pull a refresh token when users log in. The refresh token can then periodically renew the user access token as long as the user is not idle beyond 15 minutes. The current token configuration is set up in Portal where when "maxTokenExpirationinMinutes" is set to any fixed length of time, user's are signed out after that set time regardless of activity.

Use Case

1. Provide the appropriate/comparable step by step workflow to help illustrate the request.

  1. Navigate to <>/arcgis/sharing/portals/0123456789ABCDEF/update
  2. Update the "maxTokenExpirationinMinutes" to 15 (minutes).
  3. After 15 minutes the user is "signed out" and must sign in again.

2. What is the problem feature X is trying to solve? (i.e. What is the problem/limitation/design choice that is preventing the customer from moving forward?)
To adhere to Department of Defense & Federal Security policy requirements, federal agencies and defense customers may implement a 15-minute token expiration (please refer to the workflow for illustration). Because pages such as the Portal Home app and the Map Viewer do not refresh the token automatically, users working within these pages are prone to a poor user experience. Sign-outs after 15 minutes result in the inability to save maps and the subsequent loss of work.

3. What are the benefits or changes that would result from the enhancement? (i.e. How does making this change help the customer's workflow or business?)
Implementing a refresh token would prevent users from losing their work & unsaved maps. After a refresh token is pulled, it could be periodically renewed as long as the user isn't idle. If the user is idle beyond the 15 minute point, then they would be signed out.

1 Comment

Is adjusting the token-refresh the best/only way to solve the issue?  Is there not a simpler javascript timeout (or other) solution that might, similar to bank apps tell the user they have been inactive for 10 minutes and let them know their session will end without activity in 5 more minutes?  If no activity, delete the esri cookie after a certain amount of time and sign the user out?