Why is id token expiration not configurable?

I was told I should ask this here instead of support.okta.com

Why is id token lifetime/expiration not configurable?

It’s been asked previously whether it is possible to extend or configure the expiration for the id token that a custom Okta authentication server generates:

  • help/s/question/0D50Z00008G7UgwSAF/how-to-change-id-tokens-lifetime
  • help/s/question/0D51Y00005lGBR2/is-it-possible-to-set-the-idtoken-lifetime-length

And Okta employees have dutifully regurgitated the documentation stating that it is hard coded to 1 hour (OpenID Connect & OAuth 2.0 API | Okta Developer). But nobody has bother to explain why it is like this?! Or how one is suppose to create a application using Okta for authentication that doesn’t have either a completely abysmal user experience of forcing the user to re-authenticate every hour¹, or resort to some sort hack like ignore JWT expiration and checking the Issued At timestamp instead. If there is some documentation on how to get a refreshed id token without harassing my user that would be helpful, however that’s kind of a crap solution since it’s just making extra work for me when you ought to just be letting me configure Id Token expiration like I can configure Access Token expiration.

¹ Since I was pointed to this forum I found an answer indicating that it is possible to create a webhook that is called at login time to set the expiration (Token Inline Hook Reference | Okta Developer), but that seems like a lot of complexity just to set the expiration when it is already configurable for access tokens.

If you have this issue please upvote: https://ideas.okta.com/app/#/case/116706?section=requests

So is there some rationale I’m missing? Is Okta planning on fixing this?

1 Like

Okta this looks bad, after so many years of requests.