Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration for ID Token time-to-live #790

Closed
appchemist opened this issue Jun 23, 2022 · 7 comments
Closed

Allow configuration for ID Token time-to-live #790

appchemist opened this issue Jun 23, 2022 · 7 comments
Assignees
@jgrandja
Labels
status: duplicate A duplicate of another issue

Comments

@appchemist
Copy link
Contributor

Expected Behavior
Should allow different clients to customize different ID Token TTL.

Current Behavior
The ID Token TTL is always 30 minutes.

Context
In JwtGenerator.java

Instant issuedAt = Instant.now();
Instant expiresAt;
if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
	// TODO Allow configuration for ID Token time-to-live
	expiresAt = issuedAt.plus(30, ChronoUnit.MINUTES);
} else {
	expiresAt = issuedAt.plus(registeredClient.getTokenSettings().getAccessTokenTimeToLive());
}
@appchemist appchemist added the type: enhancement A general enhancement label Jun 23, 2022
@appchemist
Copy link
Contributor Author

I can't find a issue about ID Token TTL Configuration, So I make this issue.

@jgrandja
Copy link
Collaborator

Related gh-58

@jgrandja jgrandja added the status: on-hold We can't start working on this issue yet label Jul 19, 2022
@octopusthu
Copy link
Contributor

@jgrandja Is it feasible that we separate this one with gh-58? OIDC Session Management looks like a major feature, which would take a lot of work. However, this one seems to be simple and clear, like @appchemist stated, we should: 1) add a field (like IdTokenTimeToLive) to TokenSettings ; 2) Use this setting to set the ID Token's expiresAt Claim in JwtGenerator, or fallback to the default if it is not present.

@jgrandja
Copy link
Collaborator

@octopusthu Yes, this ticket should remain separate from gh-58, as the logic is quite simple and requires changes in TokenSettings and JwtGenerator.

@ClaudenirFreitas
Copy link

ClaudenirFreitas commented Feb 15, 2023
edited

Hi all,
I would like to contribute to this feature if you do not mind.
I have just created this simple PR for that.
Cheers.

ClaudenirFreitas added a commit to ClaudenirFreitas/spring-authorization-server that referenced this issue Feb 16, 2023
@ClaudenirFreitas
Merge branch 'spring-projects:main' into spring-projectsgh-790-id-tok…
9f44202 
…en-ttl
@jgrandja
Copy link
Collaborator

@octopusthu

Is it feasible that we separate this one with gh-58?

After re-reviewing the OpenID Connect Session Management 1.0 spec, it actually makes sense to add TokenSettings.idTokenTimeToLive as part of the overall feature to be delivered in gh-58.

Given this, I'm going to close this as a duplicate. cc/ @appchemist

@jgrandja jgrandja self-assigned this Feb 23, 2023
@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed type: enhancement A general enhancement status: on-hold We can't start working on this issue yet labels Feb 23, 2023
@jgrandja
Copy link
Collaborator

If an application needs to override the default 30min expiry for an ID Token, you can use an OAuth2TokenCustomizer to override the default.

@jgrandja jgrandja mentioned this issue Feb 23, 2023
Closed
@jgrandja jgrandja mentioned this issue Jan 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@appchemist @octopusthu @ClaudenirFreitas @jgrandja