Setting jwtConfiguration.lifetimeInSeconds in rule has no effect

I want to create a rule that conditionally changes the context.jwtConfiguration.lifetimeInSeconds depending on an option passed in by the user. However, no matter what this value is set to, the id_token (JWT) always has the expiration that is configured at the client level.

Right now my rules looks like this:

function (user, context, callback) {
  context.jwtConfiguration = context.jwtConfiguration || {};
  context.jwtConfiguration.lifetimeInSeconds = 2592000;
  callback(null, user, context);
}

But this does not seems to work

I was able to reproduce the situation you described. The underlying issue is that the configuration you mentioned is not being considered throughout all the authentication related endpoints. For example, if you perform username/password authentication at /oauth/token]1 endpoint the configuration does not have any effect, while if you use the /oauth/ro]2 endpoint the issued ID Token will have the expiration you configured in the rule.

The endpoint where the setting is respected is part of an older subset of the authentication API so I raised this inconsistency with the engineering team so that they can evaluate if the functionality you mentioned can be made to work across all the endpoints or if this limitation will have to be documented. At this time I cannot provide you any indication of the outcome or possible timeline for this to happen.


Given the current state of things and if you agree we can try to take a step back and analyse if there are other alternatives to the underlying problem; one where setting token expiration through rules is not required. If you want to pursue this route can you open a new question focusing on the underlying requirement you want to implement? (you can leave a comment here with the link to the new question so I get notified)

Oh, that was a convenient feature for us. Well, since there is no definite timeline to resolution, we will try to implement a solution that does not require a rule for setting token expiration. Thanks!

Is there any update on this?

We have a rule which shortens the token lifetime in certain cases (for example, if the user has specific things in their app_metadata). This worked with the /oauth/ro endpoint but has no effect with the /oauth/token endpoint as you described.

e.g.
context.jwtConfiguration.lifetimeInSeconds = someNumber;

Setting the expiration time in the client settings would apply to all users, so without this I’m not sure how the expiry time can be changed on a per-user basis?

The jwtConfiguration.lifetimeInSeconds only worked on some legacy flows (like oauth/ro) and has not been ported to the current flows.
The duration of the ID Token can be configured on a per-application basis through the dashboard.

1 Like