I’m using signin-widget & noticed even after having a policy to expiry the token after 5 mins of inactivity, the application doesn’t seem to do behave that way & the session stays active for more than configure timeout.
The access token lifetime gets expired every 5 mins and uses a refresh token to get a new access token as long as the refresh token is active.
Refer to this thread for a detailed explanation. Hope that helps to understand what the screenshot setting means.
Is your application currently configured to use Refresh tokens to keep users logged in? Do you happen to see new /token requests in the network events around 5 minutes after the user initially logged in (when the Access Token would be expiring)?
Finally, are you sure that your application is configured to use the Custom Authorization Server where you’ve configured that Access Rule, or could it instead be using a different Authorization Server with longer token lifetimes?