I was told I should ask this here instead of support.okta.com
Why is id token lifetime/expiration not configurable?
It’s been asked previously whether it is possible to extend or configure the expiration for the id token that a custom Okta authentication server generates:
- help/s/question/0D50Z00008G7UgwSAF/how-to-change-id-tokens-lifetime
- help/s/question/0D51Y00005lGBR2/is-it-possible-to-set-the-idtoken-lifetime-length
And Okta employees have dutifully regurgitated the documentation stating that it is hard coded to 1 hour (OpenID Connect & OAuth 2.0 API | Okta Developer). But nobody has bother to explain why it is like this?! Or how one is suppose to create a application using Okta for authentication that doesn’t have either a completely abysmal user experience of forcing the user to re-authenticate every hour¹, or resort to some sort hack like ignore JWT expiration and checking the Issued At timestamp instead. If there is some documentation on how to get a refreshed id token without harassing my user that would be helpful, however that’s kind of a crap solution since it’s just making extra work for me when you ought to just be letting me configure Id Token expiration like I can configure Access Token expiration.
¹ Since I was pointed to this forum I found an answer indicating that it is possible to create a webhook that is called at login time to set the expiration (Token Inline Hook Reference | Okta Developer), but that seems like a lot of complexity just to set the expiration when it is already configurable for access tokens.
If you have this issue please upvote: https://ideas.okta.com/app/#/case/116706?section=requests
So is there some rationale I’m missing? Is Okta planning on fixing this?