-
Notifications
You must be signed in to change notification settings - Fork 7
TokenLifetimeConfiguration
Scott Cantor edited this page Feb 22, 2021
·
14 revisions
OIDC tokens have a lifetime. The sensible values for the lifetimes depends on the use case and cannot be predetermined.
File(s): conf/idp.properties, conf/relying-party.xml
Default values for id token, access token and authorization code expiration may be changed in idp.properties.
- idp.oidc.authorizeCode.defaultLifetime, Default lifetime for authorize code, defaults to 5 minutes.
- idp.oidc.accessToken.defaultLifetime, Default lifetime for access token, defaults to 10 minutes.
- idp.oidc.idToken.defaultLifetime, Default lifetime for id token, defaults to 60 minutes.
- idp.oidc.refreshToken.defaultLifetime, Default lifetime for refresh token, defaults to 120 minutes.
The default values may be overridden by for example defining them per relying party in OIDC.SSO profile configuration.
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://rp.example.org" p:responderIdLookupStrategy-ref="profileResponderIdLookupFunction">
<property name="profileConfigurations">
<list>
<bean parent="OIDC.SSO" p:iDTokenLifetime="PT2H" p:accessTokenLifetime="PT2H" p:authorizeCodeLifetime="PT10M" />
</list>
</property>
</bean>
Authorization Code may be used only once. Reuse is monitored by storing reference values to shibboleth replay cache. Reuse of authorization code invalidates all tokens derived from it. This is handled by another server-side cache, revocation cache.
Following revocation cache properties may be changed in idp.properties.
- idp.oidc.revocationCache.authorizeCode.lifetime, Lifetime for entries stored to revocation cache. Defaults to 6 hours.
- idp.oidc.revocationCache.StorageService, Storage for revocation cache. Requires server-side storage. Defaults to shibboleth.StorageService
(Migrated)