What is the length of Oauth Bearer Token expiration?

I can’t find this information anywhere. I’m wondering what the expiration time is in the bearer tokens issued by the OAuth2 API, if any.

How do these tokens expire. If they don’t, how can I make a PWA secure?

Bumping this? Is anyone looking at this?

Hi @chrisdmacrae,
Would you be able to elaborate the use case of the OAuth token? It seems you would like to use the Access Token directly in the frontend. And that is usually not recommended, since our tokens don’t expire unless revoked and are usually tied to your account.

If you need your users to login and access Contentful content, maybe what you are looking for is to Create an OAuth App for your website.

Hi,

sorry for pushing this old thread. I didn’t found any newer.

I guess what chrisdmacrae was refering to was the OAuth 2.0 Access Token that’s generated when you’ve logged in with your Contentful Single Sign On Mask as described in the documentation that you’ve mentioned. And this question is really relevant. In OAuth 2.0, you get the Access Token attached to your Redirect URL like this: https://www.myside.com/landingpage/?access_token=. This Access Token is stored on the Client side (Browser / App) and then reused for other requests as well just like a Session Token. Of course it’s important to know for a Developing Team, how these tokens can be revoked. This is not documented in the Contentful Documentation which is accessable in the Internet. Only because of checking the Network Tab, I’m aware that Contentful uses a revoke endpoint when the users are logged out. Theoretically, 3rd Party Apps could indeed re-use this endpoint, but since it’s not documented (or at least I wasn’t able to find the documentation), Developing Teams of 3rd Party Apps don’t know, if they’re allowed to use it.

If you want to create an internal application based on Contentful which is not using a 3rd Party Single Sign On like Azure and want to use the Login Mask of Contentful, it would of course also be nice know, if there is an option in Contentful to let these Access Tokens, generated by Contentful as the OAuth 2.0 Provider, expire after some hours (automatical logout / session termination). Also, I did not find any documentation about this. Do 3rd Party App Developer that want to re-use the Login Mask of Contentful as described in your link really have to setup their own session termination job in an external webstorage?

Would be nice to get some insights here. Thank you.

Kind regards

Marc

As Alma mentioned, OAuth tokens currently cannot be revoked by our customers via APIs, but only in the user interface here. You can also request to revoke tokens to our customer support, should you need to.

The way you could leverage the App Framework in your case, is to build a Page Location App (which can therefore only be accessed by logged in users). In that way, you only need to take care of the communication with your backend - as the integration with Contentful happens out of the box.

At that point, App Identities can be used for the service to service communication, should you ever need your backend to interact with Contentful.

The current recommended way to integrate with Contentful is through the App Framework. While we do have and maintain OAuth, we don’t have further updates and new features planned in the foreseeable future in that area.

Thanks for the additional information. Based on Alma’s comment, I haven’t understood that revoking the access token is only possible on Account Level via the UI. Now I understand that it’s not possible to revoke them via API’s or have an expire date here.