Set TTL (or expiry) of Access Token in rules and hooks

Feature:

I would like to be able to set the TTL of a JWT Access Token dynamically in Rules & Hooks.

Description:

In Java script Rule or Hook I would like to be able to change the default TTL or expiry of the access token that gets generated. For example:

ttl_for_this_customer = 60;
access_token.exp = Math.floor(Date.now() / 1000) + ttl_for_this_customer;

Use-case:
We have multiple tiers of customers and trust relationships and would like to be able to shorten the TTL of access tokens for lower tier customers. For example, and especially for M2M clients, I would like to reduce the TTL for newly onboarded customers. As part of onboarding I want to confirm they are caching tokens correctly and setting the TTL to a short time (say 1 minute) would support the token caching use-case. Additionally, until we have confirmed how securely they handle tokens we don’t want them in possession of long-lived tokens.

Hi @rbarber,

Thank you for reaching out to the Auth0 Community!

After reviewing the OAuth 2.0 specification on access tokens, I found it not possible to modify the expiration value of an access token after it is issued. Moreover, the resource owner or API handles the token expiration.

In this case, I recommend creating an API for each of your multiple-tier customers. In each API, you could set different access token expiration times and allow users to authenticate against the API based on their trust factor.

For example, you could have a low-trust API and a high-trust API. Then redirect your newly onboarded customers to the /authorize endpoint specifying the low-trust API identifier as the audience followed with their permissions in the scope. In the API Token settings, you will have to change the Token Expiration (seconds) and Token expiration for
browser flows (seconds) to 60 seconds to expire shortly.

Whereas your trusted customers are redirected to the /authorize endpoint specifying the high-trust API identifier, which has a different and longer access token expiration time.

Hoped this helps!

Please let me know if you need any clarification or have further questions.

Thank you.

Thank you for the response. However, I am not trying to modify the expiration of an existing token…just the expiration before it gets generated.

We don’t have high/low trust APIs (it’s the same APIs) as those would be handled via authorization anyway. It’s our users (or systems) that I am classifying as high/low trust and would like to determine/set the expiration of a token about to be generated for them.

Multiple APIs is not a scalable solution for our ecosystem as I would have to have an API for each possible TTL (two APIs for low/high, or three APIs for low/medium/high, etc)

3 Likes

I’m in the same situation as @rbarber and find it similarly unscalable to have a separate API in Auth0 for each TTL. @rbarber did you find a solution to this?

No solution thus far as we haven’t been forced into a corner…yet.

1 Like