13.36.3 Configuring Timeout

Specify the following details to configure timeouts:

  1. Session Timeout: Specify the time in seconds. By default, this value is set to 1200 seconds. This is the timeout value for authenticating to the Web Authentication session. If the session is idle for more than the specified time, then the session expires and the user must authenticate again before any action which requires an authenticated session. This timeout value is applicable for OAuth2 / OpenID Connect and SAML events.

    NOTE:Advanced Authentication user enrollment uses Web Authentication for authenticating users. After the authentication, the OSP session is not in use and Advanced Authentication manages its sessions. An OAuth2 / OpenID Connect application might use the Web Authentication session.

  2. Authorization Code Timeout: Specify the time in seconds. By default, this value is set to 120 seconds. This timeout value indicates how long the authorization code is valid. The request for an Access Token or an ID Token fails if the Authorization Code has expired and is no longer valid. The Authorization code becomes invalid if the client does not request for Token ID from the server within the specified time.

    For security reasons, some OAuth2 / OpenID Connect code flow schemes require that first an Authorization Code be requested. The Authorization Code is then used to request an Access Token and ID Token.

  3. Access Token Timeout: Specify the time in seconds till when the access token is valid. By default, this value is set to 120 seconds. Once the token expires, a new token is required before accessing the protected resources. The application might create a new token by using a Refresh Token and the client secret, or else the user is required to authenticate again.

  4. Refresh Token Timeout: Specify the time in seconds till when the token is valid. Once the token expires it can no longer be used to create a new Access Token. By default, this value is set to 2592000 seconds.

  5. Public Refresh Token Timeout: This timeout value is for refreshing token timeout for public clients. When there are two client types, private and public. By default, this value is set to 3600 seconds.

  6. Session Token Revocation Timeout: Specify the timeout value till when the session-based refresh token revocation entries are retained. Retained entries are removed when the session is properly logged out or after the refresh token expires. By default, this value is set to 172800 seconds.