Configuring access and identity token validity

Change the default setting of the access token and identity token validity.

By default, the access token and identity (ID) token are valid for 12 hours after you sign out of the console or close your browser. You can change this default value as required.

Follow these steps to change the token validity:

1. Set kubectl CLI. See Installing the Kubernetes CLI (kubectl) for more information.

2. Edit the platform-auth-idp configmap.

   kubectl -n ibm-common-services edit configmap platform-auth-idp
   

   The file content resembles the following code:

   # Please edit the following object. Lines beginning with a '#' will be ignored,
   # and an empty file will abort the edit. If an error occurs while saving this file will be
   # reopened with the relevant failures.
   #
   apiVersion: v1
   data:
    AUDIT_ENABLED_IDMGMT: "false"
    AUDIT_ENABLED_IDPROVIDER: "false"
    BASE_AUTH_URL: /v1
    BASE_OIDC_URL: https://127.0.0.1:8443/idauth/oidc/endpoint/OP
    CLUSTER_NAME: mycluster
    HTTP_ONLY: "true"
    IDENTITY_AUTH_DIRECTORY_URL: http://127.0.0.1:3100
    IDENTITY_PROVIDER_URL: http://127.0.0.1:4300
    IDTOKEN_LIFETIME: 12h
    JOURNAL_PATH: /run/systemd/journal
    MASTER_HOST: mycluster.icp
    NODE_ENV: production
    OAUTH2DB_DB_HOST: mongodb
    OAUTH2DB_DB_PORT: "3306"
    OIDC_ISSUER_URL: https://mycluster.icp:8443/oidc/endpoint/OP
    SESSION_TIMEOUT: "43200"
    logrotate: |-
      /var/log/audit/*.log {
        su nobody root
     .
     .
     .
   

3. Update the values of the SESSION_TIMEOUT and IDTOKEN_LIFETIME parameters.

   • The SESSION_TIMEOUT parameter sets the access token validity, the default value of which is 43200 seconds. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.
   • The IDTOKEN_LIFETIME parameter sets the ID token validity, the default value of which is 12 hours. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, 14h or 60000s. You cannot include multiple values in a single entry. For example, you cannot add 1h30m.

   After you update and save the changes, you see the following message:

   configmap "platform-auth-idp" edited
   

4. Restart the auth-idp pod.

   a. Get the auth-idp pod ID.

    kubectl -n ibm-common-services get pods | grep auth-idp
   

   Following is a sample output of the command:

    auth-idp-t6sfm                            4/4    Running      0    1d
   

   b. Delete the auth-idp pod.

    kubectl -n ibm-common-services delete pod auth-idp-t6sfm
   

   After the pod is deleted, you see the following message:

    pod "auth-idp-t6sfm" deleted
   

   Wait for a few minutes for the pod to restart.

   c. Verify the status of the pod.

    kubectl -n ibm-common-services get pods | grep auth-idp-t6sfm
   

   The pod gets a new ID after restart.

    auth-idp-5267t                                                 1/4       Running     0          4m