Id_token lifetime with respect to access_token lifetime (OpenID Connect)

Question

Is id_token meant to have a longer lifetime than access token?

Here the idea that the id_token can have a short lifetime is suggested: What is intent of ID Token expiry time in OpenID Connect?

However, here it is said that id_token lifetime is set to 10 hours by default to optimize performance.

https://auth0.com/docs/tokens/id-token

I have seen Openidc client libraries that do not allow access to resources when either the access or id token is invalid (e.g. it has expired). https://github.com/damienbod/angular-auth-oidc-client

Is this correct?

What is the relationship between id token and access token regarding their lifetime?

Answer 1

Is id_token meant to have a longer lifetime than access token?

No, usually not.

The common way of dealing with id_token is just to verify that user is authenticated, get info about user from that token, cache that info and never use id_token again (because you just don't need it afterwards). But your client app may have some logic related to id_token so you may want to have it live longer. For example, mentioned angular-auth-oidc-client lib uses id_token expiration date to perform silent renew when token become expired.

Here the idea that the id_token can have a short lifetime is suggested However, here it is said that id_token lifetime is set to 10 hours by default

Well, 10 hours still a short time, though IdentityServer4, for example, has 5 minutes by default.

What is the relationship between id token and access token regarding their lifetime?

To sum up: it depends on you client. Usually it's ok to have short-lived id_token, but for example if you using angular-auth-oidc-client library with Implicit low then it doesn't make much sense to have different expire time of access and id tokens and if you don't want to perform silent refresh too often, then lifetime should be sufficient, 1 hour or more I would say.