Unable to set Access_Token to expiring based on the Application settings

  • For testing purposes I set the JWT Duration of the Application to 30 seconds and the Refresh Token Duration to 1 minute. When I logged in with the user of this application, I see that in the user Session the Expiration date is one hour ahead of Last Accessed instead of one minute ahead. After logging in with the user, I wait after the minute and the access_token is still alive. Only after the hour is up does the access token expire. So I'm confused how to set the access token expiration time.

    Here are some additional settings of the Application that may affect the expiration timeout:

    Steps to Duplicate:

    • Use the default Tenant
    • Create Application with these settings:
      Application Settings:
      Name: dotnetcore
      Tenant: Default
      Login API configuration
      Require an API key: Yes
      Generate Refresh Tokens: No
      Enable JWT refresh: Yes
      Passwordless login Enabled: No
      Authentication tokens Enabled: No
      JWT Enabled: Yes
      JWT time to live in seconds: 30
      Refresh Token time to live in minutes: 1
      Refresh Token expiration: Fixed. The expiration is calculated when the token is first created.
      Refresh Token usage: Reusable. The value does not change after it has been created.
      OAuth configuration
      Require authentication: Yes
      Generate Refresh Tokens: No
      Logout behavior: All applications
      Enabled grants: Authorization Code

  • Looking more into it, I found that the Tenant Session Timeout is what is shown for the User Session Expiration. I was not aware of the Tenant Session Timeout. In one of the Applications the Tenant Session Timeout was the same as the Application JWT Timeout. So I had believed that the Session Expiration was the JWT (Access Token) Timeout. Would be nice to see somewhere with the User when the Access Token would expire since Access Token (JWT Timeout) can be a different timeout as the Tenant Session Timeout.

  • @amyers I'm not quite sure what you are suggesting. Are you saying that you'd like information on the user view (in the admin UI) about when a JWT created on login would expire? Or do I misunderstand you?

Log in to reply

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.