OAuth token expire (minutes)

Official Content
This documentation is valid for:

OAuth token expire is a GAM Security Policy property, which needs to be specified in minutes.

It allows specifying the time of validity of the user session in SD applications. Take into account that in case of SD applications the authentication process is done using OAuth.


In order to connect to a secure smart devices application, the final user will need to know an authorized username / password. This credentials will be used in conjunction with the client_id and client_secret downloaded to the device when the application is installed, in order to stablish the first connection to the server application (see Secure Native Mobile applications architecture for details).

When the user tries to connect to the application, a login is presented to him. The first time he tries to connect, a POST is done to the server, using username, password, client_id, and client_secret, and the HTTP Response returns an access_token which will be used all over the connection since now on.

This access_token is stored in the device, and can either remain unchanged while the user is connected, or be reset regularly depending on the value of the "OAuth Token Expire" property of the GAM Security Policy.

The access_token stores in the device cache, and while it's valid (the user does not logs out) the final user will not be presented the login again.

The local session is destroyed when the user logs out the application, and the local cache of the device is destroyed.


GAMExampleEntrySecurityPolicy Web Panel (located in GAM Example folder) is an example where this property is used.

The way to use it in GeneXus code (by using the GAM API) is the following:

&SecurityPolicy.OauthTokenExpire  = &OauthTokenExpire


1. The criteria of time expiration for "OAuth Token Expire" is different from the web session expiration timeout. The latter is time of inactivity, the former is elapsed time.
2. OAuth token expire (minutes) property is not considered for auto-registered users.

See Also

OAuth token maximum renovations
Security Session Management in Applications using GAM