Lifespan (ttl) at consent

[kotyara85]

Hello everyone,
Is it possible to dynamically set exp token date overwriting def per token config?
We need this so we can have tokens with the same client_id and diffirent ext time
Thanks!

@aeneasr

[vinckr]

Hello @kotyara85
Sorry for the late reply!

Yes, it is possible to dynamically set the expiration time of tokens in Ory Hydra, overwriting the default per token configuration. This can be done for various tokens including access tokens, ID tokens, auth codes, and refresh tokens.
For global configuration in Ory Network, you can use the Ory CLI to set the lifespan of the access token and refresh token. Here are the commands:

# Set access token lifespan to two hours globally
ory patch oauth2-config {project.id} \  
 --replace "/ttl/access_token=\"2h\"" \  
 --format yaml  

# Set refresh token lifespan to one day globally
ory patch oauth2-config {project.id} \  
 --replace "/ttl/refresh_token=\"24h\"" \  
 --format yaml

For specific clients, you can modify the access, ID, and refresh token lifespan for each grant type individually per client using the SDK. This way, you can have tokens with the same client_id but different expiration times:

(import { Configuration, OAuth2Api } from "@ory/client"  
  
const ory = new OAuth2Api(  
 new Configuration({  
 basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,  
 accessToken: process.env.ORY_API_KEY,  
 }),  
)  
  
export async function setClientLifespans(clientId: string) {  
 await ory.setOAuth2ClientLifespans({  
 id: clientId,  
 oAuth2ClientTokenLifespans: {  
 authorization_code_grant_access_token_lifespan: "1h",  
 authorization_code_grant_id_token_lifespan: "12h",  
 authorization_code_grant_refresh_token_lifespan: "24h",  
 client_credentials_grant_access_token_lifespan: "1h",  
 implicit_grant_access_token_lifespan: "1h",  
 implicit_grant_id_token_lifespan: "12h",  
 jwt_bearer_grant_access_token_lifespan: "1h",  
 refresh_token_grant_access_token_lifespan: "1h",  
 refresh_token_grant_id_token_lifespan: "12h",  
 refresh_token_grant_refresh_token_lifespan: "24h",  
 },  
 })  
})

(see also: Ory Documentation - Configure token expiration time
)

[kotyara85]

Hi @vinckr,
I don’t think that will actually address my issue.
let’s say 100 users are trying to auth and half set 1h expiration on the client and another 2h. It’s very possible that will result in wrong expiration set on the tokens.
I guess there needs to be some distributed lock implemented in order to allow that happen.
Thanks

[vinckr]

I see, that makes sense.
Have you had a look if there is an open issue/feature request for this?

ps: I will mark this thread as answer regardless, bc I think that is the most we can do right now.