I want to understand what is id_token lifetime is for.
Basically, I need to enforce the user to proceed to log in again after some time, but I need to set different times for each application.
I tried for id_token expiry time, but it didn’t work. The user continues with the active session even after the token lifetime has elapsed.
On the other hand, I got the effect by changing tenant settings, but that impacts all applications, which is not what I’m aiming for.
Should id_token expiration enforces the session end?
The id_token is primarily a cache of the user’s profile to provide better performance, so you don’t need to keep calling the /userinfo endpoint. It is not related to the user’s session, as a user with a valid Auth0 session can request new tokens as and when required.
Unfortunately, there isn’t currently a way to control a user’s session lifetime at an application-level “out of the box”, but you could have your applications call the Auth0 logout endpoint, for example, when your local session timed out, if you wanted their sessions to end quicker than the tenant level setting.