Tokens
Last updated
Last updated
In the Tokens tab, the Default Signature Algorithm is set to RS256.
This indicates the default algorithm used to sign tokens for the realm.
This is a toggle button, when activated (toggled ON), refresh tokens are revoked after reaching Refresh Token Max Reuse (which can be customized as per your requirements), allowing their use until then. Otherwise, refresh tokens are not revoked and they remain valid for multiple uses.
When deactivated (toggled OFF), they function as usual without revocation.
Enabling Revoke Refresh Token, if toggled ON, allows access to the Refresh Token Max Reuse field.
Specify the number of token reuses as per your requirements.
Once this limit is reached, the Refresh Token is revoked, and a new one is issued.
The value can be adjusted using the arrow buttons to increase or decrease the number as needed.
It refers to the duration of inactivity before a session expires.
The Tokens and browser sessions are invalidated when a session gets expired.
This timeout value resets with authentication or refresh token requests from clients.
You can adjust the value using the arrow buttons and choose the duration unit from the dropdown—options include Minutes, Hours, or Days.
This represents the maximum duration that a session remains active.
Once this time limit is exceeded, the session expires.
This invalidates both tokens and browser sessions.
You can modify the value using the arrow buttons and select the duration unit from the dropdown, which includes options like Minutes, Hours, or Days.
This indicates the duration of time a Remember Me session can remain idle before expiration.
Once expired, both token and browser sessions are invalidated.
If not set, it defaults to the standard SSO Session Idle value.
You can customize the value as per your requirements by using the arrow buttons.
You can adjust this value using the arrow buttons and select the duration unit from the dropdown, with options like Minutes, Hours, and Days.
This sets the maximum duration for a Remember Me session before expiration.
Both token and browser sessions are invalidated upon expiration.
If not set, it defaults to the standard SSO Session Max value.
You can adjust this duration using the arrow buttons as per your requirement.
Select the duration unit (Minutes, Hours, or Days) from the dropdown.
This setting is for offline access and defines the duration for which an Offline Session can remain idle before expiration.
To maintain the Offline Session, the offline token must be refreshed at least once within this period; otherwise, the session will expire.
You can customize this duration by adjusting it using the arrow buttons according to your needs. Choose the unit of duration (Minutes, Hours, or Days) from the dropdown menu.
When activated (toggled ON), Offline Session Max determines the maximum duration for an offline session, independent of user activity.
When deactivated (toggled OFF), offline sessions only expire due to inactivity.
Once this is enabled (toggled ON), Offline Session Max, Client Offline Session Idle and Client Offline Session Max can be configured.
This setting is for offline access, determining the maximum duration for which an Offline Session remains active irrespective of user activity.
You can customize this duration and select the unit (Minutes, Hours, or Days) from the dropdown menu as per your requirements.
This setting defines the duration for which a Client Offline session can remain idle before expiring. Offline tokens get invalidated once the client offline session expires.
You can adjust this value and select the duration unit from the dropdown menu to suit your needs.
If not set, it defaults to the Offline Session Idle value.
This setting determines the maximum duration for which a Client Offline Session remains active before expiration.
Offline tokens get invalidated upon Offline Session expiry.
You can customize the value and select the desired option from the dropdown.
If left unset, it defaults to the Offline Session Max value.
This refers to the duration for which a Client Session can remain idle before expiration.
Tokens are invalidated upon session expiry.
If not set, it defaults to the standard SSO Session Idle value.
You can adjust the values and select the duration unit from the dropdown menu as needed.
This refers to the maximum duration for which a Client Session remains active before expiration.
Tokens are invalidated once the session expires.
If not set, it defaults to the Standard SSO Session Max value.
You can adjust the values and select the duration unit from the dropdown menu as required.
This defines the maximum lifespan of an Access Token before it gets expired.
It is mostly recommended to keep this shorter than the SSO Timeout duration.
You can adjust the values and select the duration unit from the dropdown menu as required.
This is the maximum lifespan for Access Tokens generated during the OpenID Connect Implicit Flow.
This value is recommended to be shorter than the SSO Timeout.
Unlike other flows, tokens here cannot be refreshed, that is why this is a separate timeout different to Access Token Lifespan.
You can adjust the values and select the duration unit from the dropdown menu as required.
This refers to the maximum duration for clients to complete the Authorization Code Flow in OIDC
It is typically recommended to be about 1 minute.
You can adjust the values and select the duration unit from the dropdown menu as required.
This sets the maximum duration for users to complete the login process.
If authentication exceeds this time, users need to start the authentication process again.
It's recommended to set this duration longer, such as 30 minutes.
You can adjust the values and select the duration unit from the dropdown menu as required.
This refers to the maximum time duration before which users have to complete login-related tasks, like updating passwords or configuring TOTP.
It's recommended to set this duration longer, around 5 minutes or more.
You can adjust the values and select the duration unit from the dropdown menu as required.
This refers to the maximum time after which a user's action permission (such as a Forgot Password email) expires.
It's kept short as users are expected to respond to such actions promptly.
You can adjust the values and select the duration unit from the dropdown menu as required.
This refers to the maximum duration before an action permit sent by the administrator to the user expires.
It's recommended to keep this duration long to accommodate offline users.
Administrators can adjust this timeout before issuing the token.
This value represents the lifespan of the request URL, which can be configured in minutes or hours.
The default duration is set to 1 minute.
You can adjust the values and select the duration unit from the dropdown menu as required.
In this setting, you have the option to customize the expiration time for specific user-generated actions, (such as the forgot password email).
It's recommended to keep this duration short since users typically respond promptly to such self-created actions.
You can select the action and set the desired expiration time accordingly.
This refers to the maximum lifespan of the device code and user code before they expire.
The duration should be long enough to accommodate user actions such as user retrieving their secondary device, navigating to the verification URL, and logging in,
At the same time, it should be short enough to mitigate the risk of code misuse for phishing.
Adjust the values and choose the appropriate duration unit from the dropdown menu as needed.
This setting specifies the waiting period, in seconds, that the client must observe between polling requests to the token endpoint.
You can modify the duration as required.
The above details can be adjusted as per the organization's requirements.
