My application is an ASP.NET Identity 2 Web API application. In my Startup class I set AccessTokenExpireTimeSpan to 14 days:
public partial class Startup
{
public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }
public static string PublicClientId { get; private set; }
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
AllowInsecureHttp = true
};
However I also noticed an example on the web where the following is set inside the ApplicationUserManager class in the Create method:
if (dataProtectionProvider != null)
{
manager.UserTokenProvider =
new DataProtectorTokenProvider<ApplicationUser>
(dataProtectionProvider.Create("ASP.NET Identity"))
{
TokenLifespan = TimeSpan.FromHours(1)
};
}
Can someone explain to me which I should be using:
Use the AccessTokenExpireTimeSpan in class OAuthAuthorizationServerOptions to set the expiry time for your access token.
The TokenLifespan property is used to set the life time for the Unique Code sent when you configure sending email confirmation and reset passwords. Maybe it should be named to something else to remove this ambiguity. If you are not sending resets passwords links then ignore this property.
Check this post too for complete example.