Skip to main content
Skip table of contents

Token Lifespan Configuration Guide

This document provides comprehensive guidelines for configuring OAuth2 token lifespans in EF IAM according to industry security standards and best practices. The configuration follows recommendations from RFC 6749, OWASP security guidelines, and modern cybersecurity frameworks.

Industry Standard Token Lifespans

Based on security research and industry best practices, the following token lifespans are recommended:

Token Type

Standard Lifespan

Security Level

Use Case

Access Token

15 minutes

High Security

API access, resource requests

Refresh Token

7 days

Balanced

Session persistence

Security Rationale

  • Short Access Tokens (15 minutes): Minimizes the impact of token theft or interception

  • Medium Refresh Tokens (7 days): Balances security with user experience

  • Activity-Based Extension: Sessions extend with user activity, expire with inactivity

Configuration Settings

Realm-Level Configuration

We are going to implement following setting for Access and Refresh token lifespan as per RFC 6749, RFC 6750

Access Token Settings

CODE
Access Token Lifespan: 15m (900 seconds)
Access Token Lifespan for Implicit Flow: 15m (900 seconds)
Client Login Timeout: 30m (1800 seconds)
Login Timeout: 30m (1800 seconds)

Session Settings (Controls Refresh Token Lifespan)

CODE
SSO Session Idle Timeout: 7d (604800 seconds)
SSO Session Max Lifespan: 7d (604800 seconds)
Client Session Idle Timeout: 7d (604800 seconds)
Client Session Max Lifespan: 7d (604800 seconds)

Client-Level Configuration

CODE
Access Token Lifespan: 15m

IAM Admin Console Configuration:

  1. First check the lifespan of your access and refresh token. This is the Postman API call to generate admin token, you can see that it has lifespan for both tokens is 30 minutes.

    Untitled design.png
  2. Now, go to your targeted realm in EF IAM and then click on Realm Settings under Configure tab (in this example its Expertflow).

    Screenshot from 2025-04-23 19-15-52.png
  3. Click on Tokens tab in Realm Settings. Change all the setting as per configurations given below:

    Screenshot from 2025-09-10 16-14-39.png

    Access token session lifespan setting

  4. Click on Session tab in Realm Settings. Change all the setting as per configurations given below:

    Screenshot from 2025-09-10 16-15-01.png

    Refresh token session lifespan settings

  5. Now, click on Clients tab under Manage setting on left panel, then click on cim.

    Screenshot from 2025-04-23 19-16-32.png
  6. Click on Advanced tab in cim settings

    Screenshot from 2025-04-23 19-16-42.png
  7. Scroll down until you see Advanced Settings. Under which we can see Access token lifespan setting. This setting modifies the lifespan of our access token. Modify it as per configuration given below:

    Screenshot from 2025-09-10 16-15-37.png

    Access token lifespan as per client

Verification and Testing

Verify Token Configuration

  1. Test Token Endpoint Response

CODE
curl -X POST \
  http://localhost:8080/realms/{realm-name}/protocol/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=password&client_id={client-id}&username={username}&password={password}'
  1. Expected Response Format

CODE
{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "expires_in": 900,
  "refresh_expires_in": 604800,
  "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type": "Bearer",
  "not-before-policy": 0,
  "session_state": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "scope": "profile email"
}
  1. Key Verification Points

    • expires_in: Should be 900 (15 minutes)

    • refresh_expires_in: Should be 604800 (7 days)

Token Refresh Flow Testing

CODE
# Use refresh token to get new access token
curl -X POST \
  http://localhost:8080/realms/{realm-name}/protocol/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=refresh_token&client_id={client-id}&refresh_token={refresh-token}'


Detailed Setting Explanations

Access Token Settings

Setting

Value

Purpose

Impact

Access Token Lifespan

15m (900s)

Primary access token validity period

Controls how often clients must refresh tokens

Access Token Lifespan for Implicit Flow

15m (900s)

Token validity for SPA implicit flow

Applies only to deprecated implicit flow

Client Login Timeout

30m (1800s)

Authentication session duration

Time allowed to complete login process

Login Timeout

30m (1800s)

Maximum login flow duration

Prevents abandoned login sessions

Session Settings (Refresh Token Control)

Setting

Value

Purpose

Impact

SSO Session Idle Timeout

7d (604800s)

Inactivity timeout for user sessions

Primary refresh token lifespan control

SSO Session Max Lifespan

7d (604800s)

Absolute maximum session duration

Hard limit regardless of activity

Client Session Idle Timeout

7d (604800s)

Client-specific inactivity timeout

Overrides realm setting per client

Client Session Max Lifespan

7d (604800s)

Client-specific maximum duration

Overrides realm setting per client

Compliance and Standards

Industry Standards Compliance

Standard

Reference

Compliance Notes

RFC 6749

OAuth 2.0 Authorization Framework

Core OAuth2 implementation

RFC 6750

Bearer Token Usage

Access token handling

OWASP

OAuth 2.0 Security Cheat Sheet

Security best practices

NIST

Digital Identity Guidelines

Identity assurance levels

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.