Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Token Expired - JSON REST API - Error Code

Tags:

rest

web-services

api-design

I've got a JSON REST API. There is a handshake that will give you a token that is valid for 15 minutes. All calls you do within those 15 minutes should work ok. After the 15 minutes I am returning an error object (includes code, message, success = false) but I was also wondering what HTTP Error Code I should return? And will using a HTTP error code mess up certain clients? (HTML5, iPhone, Android). What is considered best practice in this scenario?

like image 520
BuddyJoe Avatar asked Jan 13 '12 18:01

BuddyJoe

People also ask

Is expired token 401 or 403?

Currently when using an expired access token to poll a resource the module incorrectly returns a 403 status code. According to the rfc6750 spec when polling a resource with a malformed or expired token the resource should return a 401, not a 403.

How do you check JWT token is expired or not?

verify method to a function that returns a promise and assign it to jwtVerifyAsync . Then we call jwtVerifyAsync with the token and the token secret to check if the token is valid. If it's expired, then it's considered invalid and an error will be thrown.

Do API tokens expire?

Tokens are valid for 30 days from creation or last use, so that the 30 day expiration automatically refreshes with each API call. Tokens that aren't used for 30 days expire. The 30-day period is currently fixed and can't be changed for your organization.

2 Answers

You should return a 401 Unauthorized Status Code. You might additionally provide hypermedia to establish the token again

Think about what happens in a web app. You go to say a banking site. If not auth'd it will send you to the log in page. Then you log in and you are good to go for a time. Then it expires and the cycle repeats.

Just a thought.

like image 142
suing Avatar answered Oct 06 '22 18:10

suing

according to the spec rfc6750 - "The OAuth 2.0 Authorization Framework: Bearer Token Usage", https://www.rfc-editor.org/rfc/rfc6750, p.8, section 3.1, resource server should return 401:

invalid_token The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request.

like image 33
Louis Avatar answered Oct 06 '22 18:10

Louis
Sign in to Comment

Related questions

Error 415 Unsupported Media Type: POST not reaching REST if JSON, but it does if XML
How do I print an HTML document from a web service?
When is it safe to enable CORS?
OAuth v2 communication between authentication and resource server
Testing a JAX-RS Web Service?
Does WCF raise the bar or just the complexity level? [closed]
how to redirect to external url from c# controller
Read response body in JAX-RS client from a post request
WSDL validator? [closed]
What is the difference between remote procedure call and web service?
Java get available memory
How to secure RESTful web services?
Difference between servlet and web service
Bypass invalid SSL certificate errors when calling web services in .Net
What is limiting the # of simultaneous connections my ASP.NET application can make to a web service?
I need to learn Web Services in Java. What are the different types in it? [closed]
WCF Error "This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case"
What are the benefits of using Nginx in front of a webserver for Go?
Best way to call a JSON WebService from a .NET Console
Best/Most Comprehensive API for Stocks/Financial Data [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!