Configuring OIDC application general settings
Configure OpenID Connect provider settings that apply to OpenID Connect applications on this tenant.
Procedure
- Select Applications > Application settings > OIDC general settings.
- Provide Verify with basic information about the general settings.
Field Description Issuer hostname The hostname for the JWT issuer. It must be the tenant hostname or one of the vanity hostnames. The full issuer string is https://{issuerHostname}/oidc/endpoint/default. Base URL for MTLS endpoints The base URL for MTLS endpoints must include protocol schemes similar to https . ID token lifetime The ID token lifetime in seconds. Maximum 2147483647, minimum 1. Refresh token fault tolerance option The action that is taken after the refresh token is used. The attribute has two options. - Refresh token fault tolerance lifetime
- If the used refresh token remaining lifetime is more than the value of Refresh token fault tolerance lifetime, reduce to the value of Refresh token fault tolerance lifetime.
- Revoke
- The used refresh token is revoked immediately. Any remaining lifetime is ignored.
- Do not rotate
- A new refresh token is not created during refresh. The same refresh token is returned in the response and keeps the original token lifetime.
Refresh token fault tolerance lifetime The amount of time, in seconds, that the refresh token is still valid for after it is used. The refresh token can be used again if the client does not receive the new tokens during a token refresh. This value is not used if the remaining lifetime of the refresh token is lower. Maximum 2147483647, minimum 1. JWT validation time skew The skew in seconds that is used when the iat,nbf, andexpare validated in any incoming JWT.iat- The time the token was created.
nbf- Not before is the starting time that the token can be used.
exp- The expiry time of the JWT.
Device flow polling interval The device-flow polling interval in seconds. Maximum 3600, minimum 2. Device flow code lifetime The device-flow device code and user code lifetime in seconds. Maximum 1800, minimum 1. Client secret length The length of the auto-generated client secret. Maximum 25, minimum 8. Rotated secret lifetime The default rotated client secret lifetime in days. Maximum 90, minimum 0. Enforce client authentication on device authentication endpoint The setting to enforce client authentication when the OAuth device authorization-grant flow is triggered. Default key for signing The default JWT signing key. Default key for encryption The default JWT encryption key. Exclude 'x5c' in JWKS output The setting to exclude 'x5c' in JWKS. Exclude 'x5t' and 'x5t#S256' in JWKS output The setting to exclude 'x5t' and 'x5t#S256' in JWKS. Allow access tokens to be exchanged for SSO session Exchanging access tokens for SSO session. Allow: Access tokens can be exchanged for SSO session.
Allow and revoke token: Access tokens can be exchanged for SSO session, but the token is revoked.
Deny: Access tokens cannot be exchanged for SSO session.
Add other properties for OpenID provider metadata { "additionalMetadata": "some value" }Token exchange A short period of time in seconds that is added before or after the official expiration time of an ID token. It accounts for possible clock skew or network delays between systems. This window helps prevent valid tokens from being incorrectly rejected due to minor timing differences between the token issuer and the verifier. Scopes to claim mapping Associates OAuth or OpenID Connect scopes with specific user information fields, called claims. When a client requests certain scopes, the authorization server uses this mapping to determine which claims to include in the issued tokens or user info responses. - Provide Verify with generic token exchange settings.
Field Description ID token expiry tolerance window The amount of time, in seconds, after expiry, that the ID token can still be used for token exchange. If not set, the ID token expiry is not checked. Maximum 86400, minimum 5. - Click Save changes.