Lifetime of tokens - kmd-identity/documentation GitHub Wiki
Lifetime of tokens depends on the protocol used to integrate with KMD Identity.
SAML protocol
KMD Identity issues a SAML Response which includes a SAML Assertion (token). The lifetime-related contents of the SAML Assertion is:
- Assertion element with IssueInstant attribute. Determines when the SAML Assertion was issued.
- SubjectConfirmationData element with NotOnOrAfter attribute. Determines the latest time at which a User Session must be created in the application. It does not specify the length of the User Session. The value of NotOnOrAfter is set to IssueInstant + 5 minutes.
- Conditions element with NotBefore and NotOnOrAfter attributes. Determines the length of the User Session. Your application must re-authenticate a user when NotOnOrAfter has expired. The value of NotBefore is set to IssueInstant. The value NotOnOrAfter is set to IssueInstant + 1 hour.
OpenID protocol
KMD Identity issues an id_token, access_token and refresh_token when Authorization Code Flow is used.
The id_token and access_token are valid for 1 hour across all Identity Providers.
The expiry of a refresh token depends on the Identity Provider (NemLog-in, Unilogin, Azure AD's etc.), but defaults to a minimum of 8 hours.
When id_token and access_token expires your application must:
- If refresh_token is no longer valid: Re-authenticate the user.
- If refresh_token is still valid: Use the following documentation (https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#refresh-token-grant-flow) to retrieve a new id_token and access_token. When this happens the refresh token is rotated, a new one is issued and the old one can no longer be used. This is according to best practice. Note that the expiration of the refresh token remains the same. Rotation can be disabled by contacting KMD Identity and supplying your application ID, but we do not recommend it.
You can also contact KMD Identity to enable sliding expiration of refresh tokens for mobile apps, provided that device security measures (PIN code and/or biometric authentication) are enforced and a mechanism for refresh token revocation is implemented. When this is enabled, rotating a refresh token (as described above) can extend the lifetime of the new refresh token rather than keeping the same lifetime. The size of this extended window can be configured separately from the lifetime of the initial refresh token. We enforce a maximum limit of 90 days beyond which point you cannot extend the refresh token any more. This limit can be reduced but not increased further. Enabling sliding expiration allows users to only rarely having to sign in, as long as the refresh token is rotated regularly.
For more details about the recommendations by Digitaliseringsstyrelsen regarding refresh tokens, see section 5 in https://digst.dk/media/u2lf1pvo/oio-openid-connect-profiles.pdf.
If you wish to revoke a refresh token it can be done by making a POST request to https://identity.kmd.dk/adfs/oauth2/revoke/ endpoint, with the body containing a parameter named “token” and the value of the refresh token. The Content-Type must be: application/x-www-form-urlencoded. This makes the token invalid.
Considering changing lifetime of tokens from KMD Identity?
The lifetime of tokens in KMD Identity are based on:
- Best practices - Short lived tokens reduces the risk of tokens being used for malicious purposes
- A fine balance between giving users a good user experience while at the same time complying with the policies of the Identity Provider doing the actual authentication and thereby deciding how long a token should be valid
While it is possible to change the lifetime of certain tokens issued by KMD Identity, we strongly recommend not changing the lifetime of any token for your application due to the security implications. It can be a violation of the policies from the Identity Provider. Be advised that the application is responsible and bears the risk for the validity and security quality of such authentications and KMD Identity can in no way be held responsible.
Contact KMD Identity if you have any questions, comments or wish to change lifetime of tokens.