Why can't I configure the access token lifetime at the application level?

I am implementing authorization in a standard web application (Regular Web Application in auth0 dashboard) (golang) using authorization code flow using this Auth0 Go SDK Quickstarts: Add Login to your Go web application).

Why can’t I configure the access token lifetime at the application level, but only for the API?

Hi @bryce.wayne.person

Thank you for posting your question, if don’t add the audience in your /authorize request your access token will be opaque. Opaque tokens can be used only with the /userinfo endpoint to return a user’s profile, and access tokens issued strictly for this purpose have a default lifetime and can’t be changed (see Access Tokens).
You can find more information about this topic in the following documentation: Access Tokens, Opaque access tokens. If you add the audience to your /authorize call, you will be able to modify the token expiration value

Thanks
Dawid

Hi!
Thank you for your answer

Сould you please tell me if I understand correctly that I won’t be able to get a valid jwt token(not opaque) and be able to set its lifetime using Regular Web Application type in auth0 dashboard. And I have to create an exactly “API” in auth0 dashboard to be able to do this?

Hi @bryce.wayne.person

I won’t be able to get a valid jwt token(not opaque) and be able to set its lifetime using Regular Web Application type in auth0 dashboard. And I have to create an exactly “API” in auth0 dashboard to be able to do this?

Regular Web Applications in Auth0 do not offer configurable token lifetimes for their access tokens, as those tokens are opaque and intended only for /userinfo. By defining an API and requesting tokens using an audience parameter, you get a JWT access token whose lifetime you can configure, to control the access token lifetime and get a non-opaque token, you must create and use an API in the Auth0 Dashboard.

https://auth0.com/docs/api/authentication#get-user-info

Thanks
Dawid

Hi, thank you
Could you please tell me how then to implement validation for signature of opaque access token?
Standard web application. Frontend+Backend(Golang).
I am implementing this scenario:

1. The user registered through the login page (passed the authorization code flow). The resulting opaque access token backend save in a cookie. And also i save refresh token for this access token in database.
   Next, all API requests from the frontend are sent with the received opaque access token in cookie.
2. For each API request from the frontend like this, backend do this: validate the access token(signature) from the cookie → see if it is expired → if it is expired, then refresh it using refresh token. And set new access token in cookie. P.S. Refresh token rotation is on of course.

Hi!
Could you help me please
i can not implement my scenario because of opaque access token

Hi @bryce.wayne.person

I’ve answered to your questions under your other topic → How to set up a authorization code flow correctly? - #3 by dawid.matuszczyk

Thanks
Dawid