Configuring access and identity token validity
Change the default setting of the access token and identity token validity.
By default, the access token and identity (ID) token are valid for 12 hours after you sign out of the console or close your browser. You can change this default value as required.
Follow these steps to change the token validity:
-
Edit the
platform-auth-idp
configmap.oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp
The file content resembles the following code:
# Please edit the following object. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 data: AUDIT_ENABLED_IDMGMT: "false" AUDIT_ENABLED_IDPROVIDER: "false" BASE_AUTH_URL: /v1 BASE_OIDC_URL: https://127.0.0.1:8443/idauth/oidc/endpoint/OP CLUSTER_NAME: mycluster HTTP_ONLY: "true" IDENTITY_AUTH_DIRECTORY_URL: http://127.0.0.1:3100 IDENTITY_PROVIDER_URL: http://127.0.0.1:4300 IDTOKEN_LIFETIME: 12h JOURNAL_PATH: /run/systemd/journal MASTER_HOST: mycluster.icp NODE_ENV: production OAUTH2DB_DB_PORT: "3306" OIDC_ISSUER_URL: https://mycluster.icp:8443/oidc/endpoint/OP SESSION_TIMEOUT: "43200" logrotate: |- /var/log/audit/*.log { su nobody root . . .
-
Update the values of the
SESSION_TIMEOUT
andIDTOKEN_LIFETIME
parameters.- The
SESSION_TIMEOUT
parameter sets the access token validity, the default value of which is43200
seconds. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds. - The
IDTOKEN_LIFETIME
parameter sets the ID token validity, the default value of which is12
hours. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example,14h
or60000s
. You cannot include multiple values in a single entry. For example, you cannot add1h30m
.
After you update and save the changes, you see the following message:
configmap "platform-auth-idp" edited
- The
-
Restart the
platform-auth-service
pod.-
Get the
platform-auth-service
pod ID.oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service
Following is a sample output of the command:
platform-auth-service-t6sfm 4/4 Running 0 1d
-
Delete the
platform-auth-service
pod.oc -n <your-foundational-services-namespace> delete pod platform-auth-service-t6sfm
After the pod is deleted, you see the following message:
pod "platform-auth-service-t6sfm" deleted
Wait for a few minutes for the pod to restart.
-
Verify the status of the pod.
oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service-t6sfm
The pod gets a new ID after restart.
platform-auth-service-5267t 1/4 Running 0 4m
-