'Why does OpenIddict set the various token's lifetime on the server level and not on the application level?

We are setting up an Authorisation server with OpenIddict and are figuring out how to accomodate different types of applications.

Our hope was to :

  • work with Authorization code + pkce for all our applications
  • adjust the lifetime of IdentityToken / AccessToken / RefreshToken depending on the type of the applications (e.g. serverside api's vs spa's etc)

I expected that one could set the token lifetime through the ApplicationDescriptor.

But it seems one can only set these in Startup when the OpenIddictBuilder AddServer registers the OpenIddict services with the appropriate options.

        // Register the OpenIddict server components.
        .AddServer(options =>
        {
            options
                .AllowAuthorizationCodeFlow()
                .RequireProofKeyForCodeExchange()  
                .AllowRefreshTokenFlow(); 

            options.SetAccessTokenLifetime(System.TimeSpan.FromHours(2));
            options.SetIdentityTokenLifetime(System.TimeSpan.FromHours(1));
            options.SetRefreshTokenLifetime(System.TimeSpan.FromDays(1));
            // ....

Can one indeed only set the lifetime of these tokens at the server level? Which implicates that all applications have the same token lifetime ? Or am I missing something obvious?

openid-connectopeniddict


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

What is the best approach to logout from keycloak after authentication via pkce?

How do I validate a JWT using JwtSecurityTokenHandler and a JWKS endpoint?

Change the preferred_username in token for client credential grant flow

ASP.NET Web API and OpenID Connect: how to get Access Token from Authorization Code

What are the default Lifetime values for openiddict tokens

Web API with Microsoft Identity Platform Authentication

RFC - Adding Group Claims from OKTA to Role Claims in .net Framework Using OIDC

Blazor WebAssembly Hosted on IIS - only API is working

OpenIdConnectProtocolValidator - nonce error

Logout from Keycloak does not logout Active Directory User

OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint

How to configure Keycloak to work with Guacamole's OpenID plugin?

Web App SPA & OIDC: How to properly authenticate before accessing the front?

Null Reference Exception when calling GraphServiceClient from a .net core Razor application that uses OpenIdConnect