I changed the expirey for tokens in the policy to 5min. The access tokens expired after 5min as expected.
The IdToken exp is always set to 3600s from the creation of the token.
I would expect, that both, access token and id token have same expirey?
If not, how to change the id token expirey?
Just found this: https://support.okta.com/help/s/question/0D50Z00008G7UgwSAF/how-to-change-id-tokens-lifetime
So if the exp can not be changed? Why is it included then at all? Will it be changeable in the future?
The post you linked to is accurate in that the ID Token has a default lifetime of 1 hour, however, there has been a feature released since that time that does allow you to modify the ID Token expiration. You can set up an endpoint for a Token Inline Hook that modifies the claims within the token(s), including the exp claim.
You can read more about this feature and how to implement it here: https://developer.okta.com/docs/reference/token-hook/#sample-response-to-modify-token-lifetime. Note that this does require the use a Custom Authorization Server (such as default and the ones you can create with the API Access Management feature).
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.