I’ve been working with an Authentication API, but I’m having some trouble with the token expiration time.
Currently, the expires_at value in the response from oauth/token is always set to now + 86400, which equates to 24 hours. I was wondering if there’s any way to change this value to better suit my project’s needs. I’ve attempted to modify the Token Expiration of the Auth0 Management API, but unfortunately, it didn’t seem to affect the returned value.
If anyone has any suggestions or solutions to this issue, I would greatly appreciate your help. Thank you!
Thank you for your response! Let me provide some additional details.
I am currently utilizing the @auth0/nextjs-auth0 library to retrieve the ID Token. This library sends a request to the /oauth/token endpoint and extracts the ID Token from the response. It also retrieves the expires_at value from the response, which is used by the library to determine whether the token has expired or not. Once the token has expired, the library will refresh it by sending another request to the /oauth/token endpoint.
It’s possible to modify the expiration time of the ID Token within the management console. This will result in a modification of the exp value within the ID Token JWT, but the expires_at value will remain unchanged.
Is it possible to modify the expires_at value? I don’t think it’s currently possible to do so.
Thanks for all the detailed information, very helpful!
expires_in is in relation to the access token’s expiration and not the ID token - If I am understanding your question correctly, you should be able to adjust this time by changing the token expiration of the access token in the relevant API settings. In your dashboard this can be done at Application → APIs → Settings → Token Settings:
Thank you for your suggestion, but unfortunately, it did not resolve my issue. Let me explain how to reproduce the problem:
Create a new tenant, which will have one default application and the “Auth0 Management API”.
Delete the default application and create a new “Regular Web Application”.
Configure the web app and log in via Auth0.
You will receive a session with an idToken, accessTokenExpiresAt, and other fields. The value of accessTokenExpiresAt will be now + 86400, as previously described.
I’ve attempted to modify the Token Expiration of the Auth0 Management API, but unfortunately, it didn’t seem to affect the returned value. The “Token Expiration for Browser Flows (Seconds)” field exists within the Auth0 Management API, but any modifications made to it were not accepted. The attached image shows that the field’s value is 7200.
Hi there @kenkoooo-estie sorry for the delay on this one - I am as of now unable to reproduce. Do you mind sharing here a sample access token? Please redact any sensitive information.
Do you see these changes (300 second expiration time) for the Management API token retrieved in any way listed in the “Test” tab? I just tested Curl and Node.js and do indeed see the correct expiration time reflected in the token.
So when there is no audience parameter specified, the Access Token returned from Auth0 is intended for use with the Auth0 ‘/userinfo’ endpoint only. As I recall, you can’t currently set the default expiration for this from the Auth0 Dashboard.
To get an Auth0 Access Token for a specific API you must also specify an audience; from the example screenshots shared previously, the audience would be the identifier associated with the relevant API. You can then set Token Expiration to the value desired, and this will be reflected in the Access Token returned. Today, any Access Token generated by Auth0 can be used to call both the (custom) API associated with the designated audienceand also the Auth0 /userinfo endpoint.