Skip to content

Revise maximum token lifetime to 23 hours, 59 minutes, 59 seconds #1946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ben-kuhn wants to merge 1 commit into
base: main
Choose a base branch
from
+2 −2
Open

Revise maximum token lifetime to 23 hours, 59 minutes, 59 seconds #1946

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/identity-platform/configurable-token-lifetimes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ Access, ID, and SAML2 token configuration are affected by the following properti
- Access tokens: varies, depending on the client application requesting the token. For example, continuous access evaluation (CAE) capable clients that negotiate CAE-aware sessions will see a long lived token lifetime (up to 28 hours).
- ID tokens, SAML2 tokens: One hour
- **Minimum**: 10 minutes
- **Maximum**: One day
- **Maximum**: 23 hours, 59 minutes, and 59 seconds

### Refresh and session token lifetime policy properties

Expand All @@ -103,7 +103,7 @@ Refresh and session token configuration are affected by the following properties
|Single-Factor Session Token Max Age |MaxAgeSessionSingleFactor |Session tokens (persistent and non-persistent) |Until-revoked |
|Multi-Factor Session Token Max Age |MaxAgeSessionMultiFactor |Session tokens (persistent and non-persistent) |Until-revoked |

Non-persistent session tokens have a Max Inactive Time of 24 hours whereas persistent session tokens have a Max Inactive Time of 90 days. Anytime the SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days. If the SSO session token isn't used within its Max Inactive Time period, it's considered expired and are no longer accepted. Any changes to this default period should be changed using [Conditional Access](~/identity/conditional-access/howto-conditional-access-session-lifetime.md).
Non-persistent session tokens have a Max Inactive Time of 23 hours, 59 minutes, and 59 seconds whereas persistent session tokens have a Max Inactive Time of 90 days. Anytime the SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days. If the SSO session token isn't used within its Max Inactive Time period, it's considered expired and are no longer accepted. Any changes to this default period should be changed using [Conditional Access](~/identity/conditional-access/howto-conditional-access-session-lifetime.md).

You can use PowerShell to find the policies that will be affected by the retirement. Use the [PowerShell cmdlets](configure-token-lifetimes.yml) to see the all policies created in your organization, or to find which apps are linked to a specific policy.

Expand Down