Permalink: https://doc.oneportal.fi/x/LoIW

There has been and still is discussion on how long lifetime an ID token and access token should have.

There is no single answer. Below we have collected some links on the subject.

https://stackoverflow.com/questions/52553589/id-token-lifetime-with-respect-to-access-token-lifetime-openid-connect

https://stackoverflow.com/questions/25686484/what-is-intent-of-id-token-expiry-time-in-openid-connect

https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/

For better agility, we recommend to start with a relatively short token lifetime, like 20 minutes. Then, when necessary, use refresh token to regain access to the resources. Shall your application require something different, then you just need to adjust.

If later at any time there is reason to revoke a token, this takes effect rather quickly. After such revocation, user is asked to sign-in normally. That is the only action needed,

Using very long, like a year long token lifetimes might cause nasty surprises.