Hook to expire authentication token based on time?

[falak]

Basically i am developing a single sign on application using Rails 5 API and Simple token Authentication. I have two interfaces one is the web interface that is for Admin and another is API based interface which will be used by Applications who sign up on SSO. Well i am able to authenticate users via Authentication Token for each request but i want more security by expiring the Token after a specific time and generating a new one. how can i do this? After token gets expired how can i notify that token has been expired and a new token is generated as user will have old token in the response headers. When user sends a new request it will only have the old token.

[gonzalo-bulnes]

Hello @falak,

Please follow this thread: Expire token supported? it links to an example using the after_successful_token_authentication hook. Your expiration logic can be handled in the hook (and nothing prevents to store an expiration date in the database along with the authentication token).

A client attempting to use the API with an expired token will be unable to do so, (possibly receiving a HTTP 401 Access Denied response - depending on your settings, using the fallback: :exception option would do that for example).

Handling that response is responsibility of the client. Asking the user to sign in again will allow the client to get the new authentication token. Besides, that works whether the client already had an expired token or is contacting the API for the first time, and that's what I would recommend doing.

(Note: We're currently expanding the wiki to make information easier to find. Please feel welcome to create a new "How-to" page if you wish - I can help you finding the right place to put it.)