Hi @dkotsuka,
The id_token is primarily a cache of the user’s profile to provide better performance, so you don’t need to keep calling the /userinfo endpoint. It is not related to the user’s session, as a user with a valid Auth0 session can request new tokens as and when required.
Unfortunately, there isn’t currently a way to control a user’s session lifetime at an application-level “out of the box”, but you could have your applications call the Auth0 logout endpoint, for example, when your local session timed out, if you wanted their sessions to end quicker than the tenant level setting.