Configuring access and identity token validity

Change the default setting of the access token and identity token validity.

By default, the access token and identity (ID) token are valid for 12 hours after you sign out of the console or close your browser. You can change this default value as required.

Follow these steps to change the token validity:

  1. Edit the platform-auth-idp configmap.

    oc -n <your-foundational-services-namespace> edit configmap platform-auth-idp
    

    The file content resembles the following code:

    # Please edit the following object. Lines beginning with a '#' will be ignored,
    # and an empty file will abort the edit. If an error occurs while saving this file will be
    # reopened with the relevant failures.
    #
    apiVersion: v1
    data:
      AUDIT_ENABLED_IDMGMT: "false"
      AUDIT_ENABLED_IDPROVIDER: "false"
      BASE_AUTH_URL: /v1
      BASE_OIDC_URL: https://127.0.0.1:8443/idauth/oidc/endpoint/OP
      CLUSTER_NAME: mycluster
      HTTP_ONLY: "true"
      IDENTITY_AUTH_DIRECTORY_URL: http://127.0.0.1:3100
      IDENTITY_PROVIDER_URL: http://127.0.0.1:4300
      IDTOKEN_LIFETIME: 12h
      JOURNAL_PATH: /run/systemd/journal
      MASTER_HOST: mycluster.icp
      NODE_ENV: production
      OAUTH2DB_DB_PORT: "3306"
      OIDC_ISSUER_URL: https://mycluster.icp:8443/oidc/endpoint/OP
      SESSION_TIMEOUT: "43200"
      logrotate: |-
        /var/log/audit/*.log {
          su nobody root
       .
       .
       .
    
  2. Update the values of the SESSION_TIMEOUT and IDTOKEN_LIFETIME parameters.

    • The SESSION_TIMEOUT parameter sets the access token validity, the default value of which is 43200 seconds. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, specify 30 seconds as 30s. You can include multiple values in a single entry. For example, 1m30s is equivalent to 90 seconds.
    • The IDTOKEN_LIFETIME parameter sets the ID token validity, the default value of which is 12 hours. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), or seconds (s). For example, 14h or 60000s. You cannot include multiple values in a single entry. For example, you cannot add 1h30m.

    After you update and save the changes, you see the following message:

    configmap "platform-auth-idp" edited
    
  3. Restart the platform-auth-service pod.

    1. Get the platform-auth-service pod ID.

      oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service
      

      Following is a sample output of the command:

      platform-auth-service-t6sfm     4/4    Running      0    1d
      
    2. Delete the platform-auth-service pod.

      oc -n <your-foundational-services-namespace> delete pod platform-auth-service-t6sfm
      

      After the pod is deleted, you see the following message:

      pod "platform-auth-service-t6sfm" deleted
      

      Wait for a few minutes for the pod to restart.

    3. Verify the status of the pod.

      oc -n <your-foundational-services-namespace> get pods | grep platform-auth-service-t6sfm
      

      The pod gets a new ID after restart.

      platform-auth-service-5267t                1/4       Running     0          4m