Why OKTA make the ID token not configurable? I saw a post with similar need here: Why is id token expiration not configurable? .
OKTA allows people to configure the access token and refresh token, but not the ID token. This is very strange and causes unexpected behavior. I used Envoy Oauth plugin for my Oauth flow which checks both ID token and access token. With ID token expiring, my users need to log in again, which is very inconvenient for them since the ID token expires in an hour and significantly less than the 8-hour access token expiration I set. It creates a very bad experience for my users. I wonder why such a strange setting exists. If OKTA issues both an access token and an ID token after a user logs in, why would they expect one to expire earlier than the other?
At this time, it is only possible to configure the lifetime of ID Tokens issued by a Custom Authorization Server using Token Inline Hooks