A token is used to authenticate portal members. When a user attempts to access the portal, they provide their user name and password. ArcGIS Enterprise verifies the supplied credentials, generates a token, and issues a token to the member.
A token is a string of encrypted information that contains the user's name, the token expiration time, and other proprietary information. When a token is issued to the member, they can access the portal until the token expires. When it expires, the member must provide their user name and password again.
There are three different types of tokens that are used within the portal:
- ArcGIS token: A token generated through the sharing/rest/generateToken endpoint.
- OAuth access token: A token generated through the OAuth2 authentication workflow.
- OAuth refresh token: A token used to generate new OAuth access tokens when they expire.
When generating a new token, it's recommended to specify an expiration time. If an expiration time is not included, each type of token has a default expiration value:
- ArcGIS token: 120 minutes
- OAuth access token: 30 minutes
- OAuth refresh token: 2 weeks (20160 minutes)
These default values cannot be increased and can be only be decreased by setting the maxTokenExpirationMinutes property in the ArcGIS Portal Administrator Directory to a value less than the default value. Although these values may be appropriate for your organization, it is important to consider the security implications behind a token. A token with a longer expiration time is less secure. For example, a token intercepted by a malicious user can be used until the token expires. Conversely, a shorter expiration time is more secure but less convenient, as members may need to enter their user name and password more frequently.
To change the default token expiration time for all three token types, follow the steps below. The value you specify applies to all portal members; you cannot specify different values for specific members or just administrators.
- Sign in to the ArcGIS Portal Directory as an administrator of your organization. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/sharing/rest.
- Click Portals > Self.
- Scroll to the bottom of the page and click Update.
- Update the Max Token Expiration Minutes field with the desired value (in minutes). For example, enter 1440 to specify an expiration period of one day.
- Click Update Organization to apply your changes.