Lifetime of tokens - kmd-identity/documentation GitHub Wiki

Lifetime of tokens depends on the protocol used to integrate with KMD Identity.

SAML protocol

KMD Identity issues a SAML Response which includes a SAML Assertion (token). The lifetime-related contents of the SAML Assertion is:

• Assertion element with IssueInstant attribute. Determines when the SAML Assertion was issued.
• SubjectConfirmationData element with NotOnOrAfter attribute. Determines the latest time at which a User Session must be created in the application. It does not specify the length of the User Session. The value of NotOnOrAfter is set to IssueInstant + 5 minutes.
• Conditions element with NotBefore and NotOnOrAfter attributes. Determines the length of the User Session. Your application must re-authenticate a user when NotOnOrAfter has expired. The value of NotBefore is set to IssueInstant. The value NotOnOrAfter is set to IssueInstant + 1 hour.

OpenID protocol

KMD Identity issues an id_token, access_token and refresh_token when Authorization Code Flow is used.

The id_token and access_token are valid for 1 hour across all Identity Providers.

The expiry of a refresh token depends on the Identity Provider (NemLog-in, Unilogin, Azure AD's etc.), but defaults to a minimum of 8 hours.

When id_token and access_token expires your application must:

• If refresh_token is no longer valid: Re-authenticate the user.
• If refresh_token is still valid: Use the following documentation (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#refresh-token-grant-flow) to retrieve a new id_token and access_token. When this happens the refresh token is rotated, a new one is issued and the old one can no longer be used. This is according to best practice. Note that the expiration of the refresh token remains the same. Rotation can be disabled by contacting KMD Identity and supplying your application ID, but we do not recommend it.

If you wish to revoke a refresh token it can be done by making a POST request to https://identity.kmd.dk/adfs/oauth2/revoke/ endpoint, with the body containing a parameter named “token” and the value of the refresh token. The Content-Type must be: application/x-www-form-urlencoded. This makes the token invalid.

Can lifetime of tokens be changed in KMD Identity?

The lifetime of tokens in KMD Identity are based on:

• Best practices - Short lived tokens reduces the risk of tokens being used for malicious purposes
• A fine balance between giving users a good user experience while at the same time comply with the policies of the Identity Provider doing the actual authentication and thereby deciding how long a token should be valid

While it is possible to change the lifetime of certain tokens issued by KMD Identity, we strongly recommend not changing the lifetime of any token for your application due to the security implications. It can be a violation of the policies from the Identity Provider. Be advised that the application is responsible and bears the risk for the validity and security quality of such authentications and KMD Identity can in no way be held responsible.

Contact KMD Identity if you have any questions, comments or wish to change lifetime of tokens.