In our application we use ID token, the token expiration time is quite small about 10 hours. And after expiration we use renewAuth method to refresh token. After some moment (I believe after active SSO session is expired) we are not able to renew token (getting the error - login_required). Is it possible to have ID token expiration time more than 2 weeks?
It’s possible to configure the ID token expiration through the client settings, more specifically, you can set the JWT Expiration (seconds) field. However, in general, it’s not recommended to have such long expiration so take this situation under consideration. For example, a longer expiration increases the window of time where a valid token can be leaked/used.
Yeah, a long expiration time is not quite good from a security perspective, BUT
when I am trying to use a short expiration time and frequent token refreshment it eventually ends up in an inability to renew token. Is there any other ability to keep the user logged in a long time without re-authentication? (We are building SPA)
The token renew process you’re doing (renewAuth
) is correct; you can check what’s the value you have configured for SSO Cookie Timeout in your account advanced settings to be sure that’s not ending the session. The default value of seven days would allows you to refresh tokens for that time period unless the user logouts or remains inactive for a period of three days.
@jmangelo, is it possible to renew ID token if the user remains inactive for a period of three days?
No, the user would have to login again after that period.
@jmangelo, Is SSO Cookie Timeout updated every time when we invoke a renewAuth method or not?