Auth0 Home Blog Docs

Allow to Modify Access Token Expiration From Rules and Hooks in OIDC Flows



In much the same way that you could modify the expiration of the the id_token using the context.jwtConfiguration.lifetimeInSeconds.

It would be great to allow control of access_token expiration for OIDC compliant flows in rules and hooks.

For governance and control reasons I would probably expect the expiration values set on the API to represent the maximum expiration value allowed.


If you’re going to offer modification of any RFC 7519 registered claims, please do all that make sense:

  • exp (Expiration)
  • nbf (Not Before)
  • jti (JWT ID)

I think there’s less of a case for the other registered claims which, if varied, would make troubleshooting very difficult:

  • iss (Issuer)
  • sub (Subject)
  • aud (Audience)
  • iat (Issued At)

… though, some might argue: if your customers want to change those, why not let them?

See also, the IANA JSON Web Token Claims Registry. I note scope is absent; will Auth0 seek registration?


Also encountered the same issue today, auth0 rule can’t set the jti field, as a result, we have will have a hard time blacklist an access token without the ability to track each access token. This post talks about blaklist access token using jti:, yet, Auth0 doesn’t allow rule to set the jti for OIDC flow.


I would like to have the nbf claim in there.