Skip to main content
For Authlete 2.x documentation, see 2.x version.

Overview

In Authlete 3.0, token durations can be configured at multiple levels, including the Service level and the Client level. These durations can be set statically at these levels or configured dynamically based on specific scopes. For more details on dynamic configuration, refer to the Token Duration Per Scope documentation. This short article explains how to set token durations for access tokens, refresh tokens and ID tokens at the client level.

Configuring Token Duration for a Client

To configure the token duration for access tokens or refresh tokens, follow these steps:

Access Token Duration

  1. Log in to the Authlete Management Console.
  2. Navigate to Client Settings > Tokens and Claims > Access Token.
  3. In the General section, locate the Enter Duration field.
  4. Set the desired duration for access tokens in seconds (as shown in the screenshot below).
  5. Click Save Changes to apply the configuration.

Refresh Token Duration

  1. Log in to the Authlete Management Console.
  2. Navigate to Client Settings > Tokens and Claims > Refresh Token.
  3. In the General section, locate the Enter Duration field.
  4. Set the desired duration for refresh tokens in seconds (as shown in the screenshot below).
  5. Click Save Changes to apply the configuration.

ID Token Duration

  1. Log in to the Authlete Management Console.
  2. Navigate to Client Settings > Tokens and Claims > ID Token.
  3. In the ID Token Duration section, locate the Enter Duration field.
  4. Set the desired duration for ID tokens in seconds (as shown in the screenshot below).
  5. Click Save Changes to apply the configuration.

Example

Assume there is a service and two clients registered with it. The values of the access token duration are configured as follows:
EntityAccess Token Duration (seconds)
Service86,400
Client 1(not set)
Client 23,000
Under these conditions, Authlete’s POST /auth/authorization/issue API responds to implicit grant flow authorization requests from the clients as follows:

Response to an authorization request from Client 1

{
    "type": "authorizationIssueResponse",
    "accessTokenDuration": 86400,
    "responseContent": "https://client.example.org/cb/example.com#access_token=1zT0XRynwLryWYRKCYSDjrwku5sD-WQTCtC1tnfExZE&token_type=Bearer&expires_in=86400&scope=openid"
}
Explanation: The access token duration for the Service is used since no value is configured for Client 1.

Response to an authorization request from Client 2

{
   "type": "authorizationIssueResponse",
   "accessTokenDuration": 3000,
   "responseContent": "https://client.example.org/cb/example.com#access_token=xg79MJucCq8f8QPA2_o9_q5nfzgbRQycgVwYSvMSWTY&token_type=Bearer&expires_in=3000&scope=openid"
}
Explanation: The access token duration for Client 2 is used since it is explicitly set.

See Also