Allow configuration for ID Token time-to-live

[appchemist]

Expected Behavior Should allow different clients to customize different ID Token TTL.

Current Behavior The ID Token TTL is always 30 minutes.

Context In JwtGenerator.java

Instant issuedAt = Instant.now();
Instant expiresAt;
if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
	// TODO Allow configuration for ID Token time-to-live
	expiresAt = issuedAt.plus(30, ChronoUnit.MINUTES);
} else {
	expiresAt = issuedAt.plus(registeredClient.getTokenSettings().getAccessTokenTimeToLive());
}

[appchemist]

I can't find a issue about ID Token TTL Configuration, So I make this issue.

[jgrandja]

Related gh-58

[octopusthu]

@jgrandja Is it feasible that we separate this one with gh-58? OIDC Session Management looks like a major feature, which would take a lot of work. However, this one seems to be simple and clear, like @appchemist stated, we should: 1) add a field (like IdTokenTimeToLive) to TokenSettings ; 2) Use this setting to set the ID Token's expiresAt Claim in JwtGenerator, or fallback to the default if it is not present.

[jgrandja]

@octopusthu Yes, this ticket should remain separate from gh-58, as the logic is quite simple and requires changes in TokenSettings and JwtGenerator.

[ClaudenirFreitas]

Hi all, I would like to contribute to this feature if you do not mind. I have just created this simple PR for that. Cheers.

[jgrandja]

@octopusthu

Is it feasible that we separate this one with gh-58?

After re-reviewing the OpenID Connect Session Management 1.0 spec, it actually makes sense to add TokenSettings.idTokenTimeToLive as part of the overall feature to be delivered in gh-58.

Given this, I'm going to close this as a duplicate. cc/ @appchemist

[jgrandja]

If an application needs to override the default 30min expiry for an ID Token, you can use an OAuth2TokenCustomizer to override the default.