I have read many posts about API authentication and people having issues when configuring M2M token lifetime.
Thanks to these posts, I have found a way to configure it:
go to “Applications → APIs → the specific API → settings → Token Settings”
set the “Token Expiration” parameter
This may look dumb to list those steps here, but I spent quite some time figuring them out.
What I was doing instead was:
“Applications → Applications → the corresponding Machine to Machine application → Settings → ID Token”
Set the ID Token Expiration
This second parameter is not the one I wanted to set (for dev purposes, I wanted to set a very short token lifetime, so I could verify my token renewal code was OK).
I am using Terraform with the official auth0 module.
When configuring a auth0_client, the jwt_configuration bloc sets the ID Token Expiration (the second one).
My questions:
Using Terraform, how can I configure the “correct” token lifetime (by “correct” I mean “the one I mentioned first”)?
(bonus) I’d like to understand the difference between those two tokens (I have read that one is an ID Token and the other one is an Access Token… well that doesn’t bring much light to me)
Best regards
Fred
PS: BTW why can’t I set the tags I want for this post like “m2m” and “token-expiration” as I can see on some posts?
You’ll want to use the auth0_resource_serverresource - Specifically token_lifetime.
The easiest way to think about this is that ID tokens are tied to authentication (who you are) whereas access tokens are tied to authorization (allow access to a resource). Here’s a great video and corresponding blog that do a great job explaining the two.
FWIW, there is no reason for an ID token to be involved in your use case and you can pretty much ignore the ID token lifetime altogether.
I thought I’m gonna chime in with something that might be of your interest! We’re hosting an Ask Me Anything Session in our Forum regarding Auth0 Terraform Provider.
It’s gonna be on Thursday, September 28, 2023. Check out more info about it here!