Oauth2 - implement automatic logout after XX minutes of inactivity

Question

I am using bshaffer/oauth2-server-php library for implementing oauth2 server.

Currently, I'm using access token to be authenticated on every request and refresh token when access token is expired, so if refresh token is not expired then server returns new access token. In case that refresh token is expired then following error is returned: {"error":"invalid_grant","error_description":"Refresh token has expired"} ,and after that on client side user is automatically logged out.

I want to implement standard "PHP session timeout" with Oauth2. So my tokens will be invalid after XX minutes from last request (if there are no requests in meanwhile), meaning I'll extend validity of my tokens on each request for XX minutes.

I want expire time of refresh token to be consistent to my last request, so previous error will be returned just after XX minutes of user inactivity. Can anyone tell me what is the best practice to implement this? I thought to send refresh token in header on every request and manually extend it's expire time in database, but don't know is that secure enough.

Is this something that is handled by Oauth2, or should not be implemented on system that are using API calls?

Also, I am interested in how this case can be handled in oauth2?

Thanks in advance.

Answer 1

That's not how OAuth2 works.

OAuth2 does not care about your session or users or anything else. All it does is to issue a token which is valid for a configurable amount of time. OAuth2 does application level authorization and has nothing to do with user sessions.