Access token remain active during session

We have a secure app which needs a very short access token validity period (for example, 15 mins). We would like the access token to remain active while the user is active and making API calls. However, once there is 15 mins of inactivity it should expire. Essentially, the expiration time shouldn’t be fixed, but rather 15 mins from last call.
What is a good pattern to use for this model?

Disclaimer: This highly depends on the exact characteristics of your system, for example, types of client applications, if authentications session are established, etc. The answer below goes for the general case of API and traditional web applications.

Use of bearer tokens based authentication/authorization in API’s does not lend itself well for these types of scenarios because the token itself is, in general, meant to be the single point of decision. Also the API is in a weird place to judge user activity as in most situations the user is active in a client application and that client application is the best place to judge user activity as some user actions may not immediately trigger API actions.

You could of course keep track (at the API level) of the time each access token was received and if it was more than fifteen minutes ago reject that access token. This would imply that the client application calling the API would have to obtain a new access token.

However this would assume that obtaining a new access token requires some sort of user presence/activity, otherwise this type of strategy would be ineffective. More specifically, you would have to ensure that the API in question does not allow the issuance of refresh tokens because those would allow to obtain new access tokens without the user having to be online/present.

Personally, instead of trying to track activity at the API I would consider the following:

  • Don’t accept tokens that have a lifetime greater than fifteen minutes at the API level.
  • Support renewal of access tokens only by leveraging an authentication session.
  • Track user activity at the client application level instead of the API and after fifteen minutes terminate their authenticated session/remove any tokens.

The above would imply that you control all the client applications calling the API, however, if the API is that sensitive then this is probably true. Since tokens have a lifetime of fifteen minutes and the only way to obtain new access tokens is to use an authenticated session that is only active while the user is also active then this seems to answer your requirements.