Tokens
Last updated
Last updated
In the Tokens tab, the Default Signature Algorithm is set to RS256.
This indicates the default algorithm used to sign tokens for the realm.
You can choose the most suitable option from the dropdown menu based on your needs.
This refers to the maximum lifespan of the device code and user code before they expire.
The duration should be long enough to accommodate user actions such as user retrieving their secondary device, navigating to the verification URL, and logging in,
At the same time, it should be short enough to mitigate the risk of code misuse for phishing.
Adjust the values and choose the appropriate duration unit from the dropdown menu as needed.
This setting specifies the waiting period, in seconds, that the client must observe between polling requests to the token endpoint.
You can modify the duration as required.
It specifies the value that will be returned as the verification_uri in the Device Authorization flow.
This is a toggle button, when activated (toggled ON), refresh tokens are revoked after reaching Refresh Token Max Reuse (which can be customized as per your requirements), allowing their use until then. Otherwise, refresh tokens are not revoked and they remain valid for multiple uses.
When deactivated (toggled OFF), they function as usual without revocation.
Enabling Revoke Refresh Token, if toggled ON, allows access to the Refresh Token Max Reuse field.
Specify the number of token reuses as per your requirements.
Once this limit is reached, the Refresh Token is revoked, and a new one is issued.
The value can be adjusted using the arrow buttons to increase or decrease the number as needed.
This defines the maximum lifespan of an Access Token before it gets expired.
It is mostly recommended to keep this shorter than the SSO Timeout duration.
You can adjust the values and select the duration unit from the dropdown menu as required.
This is the maximum lifespan for Access Tokens generated during the OpenID Connect Implicit Flow.
This value is recommended to be shorter than the SSO Timeout.
Unlike other flows, tokens here cannot be refreshed, that is why this is a separate timeout different to Access Token Lifespan.
You can adjust the values and select the duration unit from the dropdown menu as required.
This refers to the maximum duration for clients to complete the Authorization Code Flow in OIDC
It is typically recommended to be about 1 minute.
You can adjust the values and select the duration unit from the dropdown menu as required.
This refers to the maximum time after which a user's action permission (such as a Forgot Password email) expires.
It's kept short as users are expected to respond to such actions promptly.
You can adjust the values and select the duration unit from the dropdown menu as required.
This refers to the maximum duration before an action permit sent by the administrator to the user expires.
It's recommended to keep this duration long to accommodate offline users.
Administrators can adjust this timeout before issuing the token.
This sets a separate timeout for email verification. You can adjust this setting according to your needs.
This sets a separate timeout for Identity Provider (IdP) account email verification. You can customize this setting according to your needs.
This sets a separate timeout for forgot password requests. You can customize this setting according to your needs.
This sets a separate timeout for executing actions. You can customize this setting according to your needs.
Once you've entered the above details, clicking on Save will apply the changes you've made.
If you've made changes but decide not to apply them, click on Revert to discard those changes.
