OAuth token expire

Official Content
This documentation is valid for:

OAuth token expire is a GAM Security Policy property, which needs to be specified in minutes.

It allows specifying the time of validity of the user session in REST services, such as Native Mobile apps, Angular front-end applications, API objects.

Take into account that in the case of Native Mobile applications the authentication process is done using OAuth.


In order to connect to a secure application, the final user will need to know an authorized username / password. These credentials will be used in conjunction with the client_id downloaded to the device when the application is installed, to establish the first connection to the server application (see HowTo: Develop Secure REST Web Services in GeneXus for details).  

When the user tries to connect to the application, a login is presented to him/her. The first time he tries to connect, a POST is done to the server, using username, password, and client_id. Then, the HTTP Response returns an access_token which will be used all over the connection from now on.

This access_token is stored in the device and can either remain unchanged while the user is connected or be reset regularly depending on the value of the OAuth Token expire (minutes) property of the GAM Security Policy.

The access_token stores in the device cache, and while it's valid (the user does not log out) the final user will not be presented with the login again.

The local session is destroyed when the user logs out the application, and the local cache of the device is destroyed.


GAMExampleEntrySecurityPolicy Web Panel (located in GAM Example folder) is an example where this property is used.

The way to use it in GeneXus code (by using the GAM API) is the following:

&SecurityPolicy.OauthTokenExpire  = &OauthTokenExpire


1. The criteria of time expiration for "OAuth Token Expire" is different from the web session expiration timeout. The latter is time of inactivity, the former is elapsed time.
2. OAuth token expire (minutes) property is not considered for auto-registered users.

See Also

OAuth token maximum renovations
Security Session Management in Applications using GAM